Marked version 3.0.5 represents a minor iteration over the preceding 3.0.4 release, incorporating several updated development dependencies. While the core markdown parsing functionality remains consistent, developers should note the upgrades in tooling. Specifically, rollup transitions from version 2.56.3 to 2.58.0, introducing potential build process refinements. Semantic release also sees significant updates, with @semantic-release/git jumping from 9.0.1 to 10.0.0, @semantic-release/npm from 7.1.3 to 8.0.0, @semantic-release/github from 7.2.3 to 8.0.1, @semantic-release/commit-analyzer from 8.0.1 to 9.0.1 and @semantic-release/release-notes-generator from 9.0.3 to 10.0.2 and semantic-release from 17.4.7 to 18.0.0. These changes primarily streamline the release management workflow for the Marked maintainers but could indirectly impact developers leveraging automated dependency management. @rollup/plugin-commonjs goes from 20.0.0 to 21.0.0. The unpacked size of the package has slightly increased, going from 308000 to 310435. Developers already using Marked 3.0.4 might consider upgrading to 3.0.5 to benefit from the improved build and release pipeline. New users will find either version stable and production-ready for parsing markdown, while always benefiting from staying updated to the latest release. The core functionalities of Marked as a fast and reliable markdown parser remain unchanged in this update.
All the vulnerabilities related to the version 3.0.5 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: