Marked versions 4.0.1 and 4.0.2 are both iterations of a popular, high-speed markdown parser designed for developers needing robust and efficient markdown processing in their JavaScript applications. Both versions share the same core functionality, providing a reliable tool for converting markdown syntax into HTML. They are licensed under the MIT license and maintained within the markedjs/marked GitHub repository.
Examining the devDependencies reveals a highly similar build and testing environment. Both rely on tools like eslint for code linting, rollup for bundling, cheerio for HTML parsing, and jasmine for testing. Key differences manifest particularly in a bump in titleize a dependency jumping from version 2.1.0 to 3.0.0. In addition the newer version includes 1 more file and the unpacked size increased about 90KB.
For developers, the significance lies in stability and incremental improvements. While version 4.0.2 is a newer release and potentially includes bug fixes or minor enhancements not explicitly documented, the minimal changes suggest a focus on maintaining the core functionality and updating dependencies for security and compatibility. Developers considering upgrading from 4.0.1 should review the changelog, if available, for a comprehensive list of changes. If stability is paramount and no specific issues are encountered with 4.0.1, upgrading might not be immediately necessary. However, staying up-to-date is generally recommended to benefit from the latest optimizations and security patches.
All the vulnerabilities related to the version 4.0.2 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: