Version Details and Security Vulnerabilities

📦

remark

0.1.0

Comparision Betweeen 0.1.0 and 0.0.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

remark

0.1.0

Comparision Betweeen 0.1.0 and 0.0.1

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.0 of the package remark.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.0 of the package

Summary:

Cross-Site Scripting in react

Details:

Versions of react prior to 0.14.0 are vulnerable to Cross-Site Scripting (XSS). The package's createElement function fails to properly validate its input object, allowing attackers to execute arbitrary JavaScript in a victim's browser.

Recommendation

Upgrade to version 0.14.0 or later.

Details about react@0.10.0

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.3.19

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.3.19

Summary:

Marked ReDoS due to email addresses being evaluated in quadratic time

Details:

Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Recommendation

Upgrade to version 0.6.2 or later.

Details about marked@0.3.19

Summary:

Prototype Pollution in object-path

Details:

object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). The del() function fails to validate which Object properties it deletes. This allows attackers to modify the prototype of Object, causing the modification of default properties like toString on all objects.

Details about object-path@0.6.0

Summary:

Prototype pollution in object-path

Details:

Impact

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable.

Patches

Upgrade to version >= 0.11.5

Workarounds

Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in object-path

Details about object-path@0.6.0

Summary:

Prototype Pollution in object-path

Details:

This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components used in the path parameter are arrays. In particular, the condition currentPath === '__proto__' returns false if currentPath is ['__proto__']. This is because the === operator returns always false when the type of the operands is different.

Details about object-path@0.6.0

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 0.1.0 of the package remark.

All Security Vulnerabilities

All the vulnerabilities related to the version 0.1.0 of the package

Summary:

Cross-Site Scripting in react

Details:

Recommendation

Upgrade to version 0.14.0 or later.

Details about react@0.10.0

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.3.19

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Details about marked@0.3.19

Summary:

Marked ReDoS due to email addresses being evaluated in quadratic time

Details:

Recommendation

Upgrade to version 0.6.2 or later.

Details about marked@0.3.19

Summary:

Prototype Pollution in object-path

Details:

Details about object-path@0.6.0

Summary:

Prototype pollution in object-path

Details:

Impact

Patches

Upgrade to version >= 0.11.5

Workarounds

Don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

References

For more information

If you have any questions or comments about this advisory:

Open an issue in object-path

Details about object-path@0.6.0

Summary:

Prototype Pollution in object-path

Details:

Details about object-path@0.6.0

Version Details and Security Vulnerabilities

remark

Comparision Betweeen 0.1.0 and 0.0.1

Security Vulnerabilities

Version Details and Security Vulnerabilities

remark

Comparision Betweeen 0.1.0 and 0.0.1

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

react@0.10.0 GHSA-hg79-j56m-fxgv N/A

Recommendation

marked@0.3.19 GHSA-5v2h-r2cx-5xgj 7.5

Impact

Patches

Workarounds

References

For more information

marked@0.3.19 GHSA-rrrm-qjm4-v8hf 7.5

Impact

Patches

Workarounds

References

For more information

marked@0.3.19 GHSA-xf5p-87ch-gxw2 5.3

Recommendation

object-path@0.6.0 GHSA-8v63-cqqc-6r2c 7.5

object-path@0.6.0 GHSA-cwx2-736x-mf6w 7.7

Impact

Patches

Workarounds

References

For more information

object-path@0.6.0 GHSA-v39p-96qg-c8rf 5.6

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

react@0.10.0 GHSA-hg79-j56m-fxgv N/A

Recommendation

marked@0.3.19 GHSA-5v2h-r2cx-5xgj 7.5

Impact

Patches

Workarounds

References

For more information

marked@0.3.19 GHSA-rrrm-qjm4-v8hf 7.5

Impact

Patches

Workarounds

References

For more information

marked@0.3.19 GHSA-xf5p-87ch-gxw2 5.3

Recommendation

object-path@0.6.0 GHSA-8v63-cqqc-6r2c 7.5

object-path@0.6.0 GHSA-cwx2-736x-mf6w 7.7

Impact

Patches

Workarounds

References

For more information

object-path@0.6.0 GHSA-v39p-96qg-c8rf 5.6