Marked version 4.0.9 introduces subtle but important updates compared to version 4.0.8, primarily focusing on improvements within the development environment and dependency management. For developers using Marked in their projects, the core parsing functionality remains consistent, ensuring minimal disruption to existing implementations. Key changes are reflected in the devDependencies, which define the tools used for building, testing, and releasing the library.
A notable update is the bump in eslint from version 8.4.1 to 8.6.0, suggesting refinements in code linting and potentially stricter code quality checks. The jasmine testing framework is upgraded from version 3.10.0 to 4.0.0, indicating possible enhancements in the testing suite, which could lead to more robust and reliable code.
Other incremental updates include @babel/core moving from version 7.16.0 to 7.16.7, eslint-plugin-import from 2.25.3 to 2.25.4, eslint-plugin-promise from 5.2.0 to 6.0.0, and rollup-plugin-license from 2.6.0 to 2.6.1. While these updates might appear minor, they collectively contribute to a more stable and modern development pipeline, addressing potential bugs, security vulnerabilities, or performance bottlenecks. The dist section reveals a slight increase in unpacked size (from 397956 to 401633), possibly due to these incremental dependency updates or minor code additions. Developers should benefit from a more polished toolchain, even if the core markdown parsing behavior remains largely unchanged.
All the vulnerabilities related to the version 4.0.9 of the package
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from 'marked';
console.log(marked.parse(`[x]: x
\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Inefficient Regular Expression Complexity in marked
What kind of vulnerability is it?
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings.
PoC is the following.
import * as marked from "marked";
marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Has the problem been patched?
Yes
What versions should users upgrade to?
4.0.10
Is there a way for users to fix or remediate the vulnerability without upgrading?
Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: