Marked 3.0.1, a minor release following version 3.0.0, continues to deliver a fast and efficient markdown parsing solution for JavaScript developers. Both versions share the same core functionality and description, catering to developers who need to convert Markdown syntax into HTML. Key features and overall performance remain consistent.
The primary differences between the two versions lie in their development dependencies. Marked 3.0.1 sees updates to eslint, jumping to version ^7.32.0 and rollup, incrementing to version ^2.56.3. Jasmine is updated to version ^3.9.0 and eslint-plugin-import gets a bump to ^2.24.1, semantic-release also gets a small update to ^17.4.5. These updates generally introduce improvements in code linting, bundling, and testing processes, thereby enhancing the development workflow and potentially leading to more stable and reliable code.
For developers using Marked, the core API and usage patterns remain unchanged between these versions. The focus remains on providing a simple and performant markdown parsing engine. While the updated development dependencies might not directly impact the end-user experience, they reflect a commitment to maintaining a healthy and up-to-date codebase, which can indirectly contribute to the long-term stability and maintainability of the library. The unpacked size also increased slightly from 307405 to 307847, indicating small changes in the overall package structure, but the impact is negligible in usage.
All the vulnerabilities related to the version 3.0.1 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: