Marked version 2.0.6 represents a minor update over its predecessor, version 2.0.5, in this popular markdown parsing library renowned for its speed and efficiency. While both versions share the same core description and maintain the MIT license, indicating a commitment to open source principles, developers should pay attention to nuanced changes in their dependencies.
Specifically, version 2.0.6 upgrades several development dependencies, possibly incorporating bug fixes, performance improvements, or security patches in those tools. Key updates include eslint (from 7.26.0 to 7.27.0), rollup (from 2.48.0 to 2.49.0), and eslint-plugin-import (from 2.23.2 to 2.23.3). Though seemingly minor, these dependency upgrades can ensure compatibility with the latest tooling ecosystems and potentially resolve issues encountered in earlier versions.
Both versions offer the same unpacked size, hinting that the core functionality and code of the library remains largely consistent between the two releases. However, developers should be mindful of the updated release date, with version 2.0.6 being published approximately six days after 2.0.5. This suggests that the later version likely includes fixes and improvements that address issues identified or reported in the preceding days. Users who experienced issues with eslint, rollup, or eslint-plugin-import in 2.0.5 should consider upgrading to 2.0.6.
All the vulnerabilities related to the version 2.0.6 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: