Marked versions 4.0.5 and 4.0.4 are both iterations of a popular and speedy markdown parser library designed for JavaScript environments. They share the same core functionality, offering developers a reliable tool for converting markdown syntax into HTML. Both are licensed under MIT, ensuring flexibility for various project types, and created by Christopher Jeffrey, whose experience in the field is reflected in the library's robust nature. The repository for both versions is hosted on GitHub under the markedjs organization showing the code is reliable and supported by a larger community.
While the package description and other metadata elements, like file count, are identical, subtle differences exist between the releases, primarily within their development dependencies. Version 4.0.5 sees an upgrade to eslint from version 8.2.0 in version 4.0.4 to version 8.3.0. This seemingly small change might indicate improvements in code linting and style enforcement, potentially leading to cleaner, more maintainable code within the marked library itself. Additionally, the unpackedSize of version 4.0.5 is marginally larger (397920 bytes vs 394786 bytes of 4.0.4), hinting at minor code additions or adjustments, probably caused by the eslint upgrade within the package. The release dates also indicate that version 4.0.5 has a more recent release date showing that the project is alive and getting updated with the lasted technologies. For developers, the bump in eslint version signifies a commitment to code quality, and, more general, to constantly adopting the latest libraries and technologies in the market.
All the vulnerabilities related to the version 4.0.5 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: