Marked versions 4.0.0 and 4.0.1 are both iterations of a markdown parser designed for speed, offering developers a reliable tool for converting markdown text into HTML. While the core functionality remains consistent, a closer inspection reveals subtle yet important differences in their development dependencies and release details.
The primary distinction lies in the devDependencies. Version 4.0.1 features an updated version of eslint (8.2.0 compared to 8.1.0 in 4.0.0) and @semantic-release/npm (8.0.3 compared to 8.0.2). uglify-js is also updated from 3.14.2 to 3.14.3 and @semantic-release/github from 8.0.1 to 8.0.2. These updates typically incorporate bug fixes, performance improvements, and security patches within the respective development tools, contributing to a more robust development workflow.
Developers utilizing Marked should note these dependency updates in version 4.0.1, especially if they enforce strict dependency versioning in their projects or have encountered issues related to the older versions. Although the core parsing engine remains largely unchanged, these updated development dependencies offer a potentially smoother and more secure development experience. Furthermore, the releaseDate differs significantly, with version 4.0.0 released on November 2nd, 2021, and version 4.0.1 released on November 11th, 2021, indicating a relatively swift patch release addressing potential issues identified after the initial 4.0.0 release. The unpacked size is also slightly different.
All the vulnerabilities related to the version 4.0.1 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: