Version Details and Security Vulnerabilities

Summary:

Regular Expression Denial of Service in marked

Details:

Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input.

Recommendation

Upgrade to version 0.7.0 or later.

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

semver-regex Regular Expression Denial of Service (ReDOS)

Details:

npm semver-regex is vulnerable to Inefficient Regular Expression Complexity

Summary:

Regular expression denial of service in semver-regex

Details:

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Summary:

Hostname confusion in parse-url

Details:

Exposure of Sensitive Information to an Unauthorized Actor via hostname confusion in GitHub repository ionicabizau/parse-url prior to 6.0.1

Summary:

Server-Side Request Forgery in parse-url

Details:

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Summary:

Cross site scripting in parse-url

Details:

Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Summary:

Cross site scripting in parse-url

Details:

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1

Summary:

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Details:

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Summary:

parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing

Details:

parse-url prior to 8.1.0 is vulnerable to Misinterpretation of Input. parse-url parses certain http or https URLs incorrectly, identifying the URL's protocol as ssh. It may also parse the host name incorrectly.

Details about parse-path@3.0.4

Summary:

Authorization Bypass in parse-path

Details:

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

Summary:

Prototype Pollution in lodash

Details:

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash.set@4.3.2

Summary:

@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Details:

Summary

The regular expression /<([^>]+)>; rel="deprecation"/ used to match the link header in HTTP responses is vulnerable to a ReDoS (Regular Expression Denial of Service) attack. This vulnerability arises due to the unbounded nature of the regex's matching behavior, which can lead to catastrophic backtracking when processing specially crafted input. An attacker could exploit this flaw by sending a malicious link header, resulting in excessive CPU usage and potentially causing the server to become unresponsive, impacting service availability.

Details

The vulnerability resides in the regular expression /<([^>]+)>; rel="deprecation"/, which is used to match the link header in HTTP responses. This regular expression captures content between angle brackets (<>) followed by ; rel="deprecation". However, the pattern is vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to its susceptibility to catastrophic backtracking when processing malicious input. An attacker can exploit this vulnerability by sending a specially crafted link header designed to trigger excessive backtracking. For example, the following headers:

fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");

The crafted link header consists of 100,000 consecutive < characters followed by a closing >. This input forces the regular expression engine to backtrack extensively in an attempt to match the pattern. As a result, the server can experience a significant increase in CPU usage, which may lead to denial of service, making the server unresponsive or even causing it to crash under load. The issue is present in the following code:

const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);

In this scenario, the link header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

PoC

Details about @octokit/request@5.6.3

run npm i @octokit/request
run 'node poc.js' result:
then the program will stuck forever with high CPU usage

import { request } from "@octokit/request";
const originalFetch = globalThis.fetch;
globalThis.fetch = async (url, options) => {
  const response = await originalFetch(url, options);
  const fakeHeaders = new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response => {
    // console.log("[+] Response received:", response);
  })
  .catch(error => {
    // console.error("[-] Error:", error);
  });
// globalThis.fetch = originalFetch;

Impact

This is a Denial of Service (DoS) vulnerability caused by a ReDoS (Regular Expression Denial of Service) flaw. The vulnerability allows an attacker to craft a malicious link header that exploits the inefficient backtracking behavior of the regular expression used in the code. The primary impact is the potential for server resource exhaustion, specifically high CPU usage, which can cause the server to become unresponsive or even crash when processing the malicious request. This affects the availability of the service, leading to downtime or degraded performance. The vulnerability impacts any system that uses this specific regular expression to process link headers in HTTP responses. This can include:

Web applications or APIs that rely on parsing headers for deprecation information.
Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.
Service providers who may face disruption in operations or performance degradation due to this flaw. If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious link header, making it a low-barrier attack that could be exploited by anyone.

Summary:

@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Details:

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the processing of HTTP request headers. By sending an authorization header containing an excessively long sequence of spaces followed by a newline and "@", an attacker can exploit inefficient regular expression processing, leading to excessive resource consumption. This can significantly degrade server performance or cause a denial-of-service (DoS) condition, impacting availability.

Details

The issue occurs at line 52 of iterator.ts in the @octokit/request-error repository. The vulnerability is caused by the use of an inefficient regular expression in the handling of the authorization header within the request processing logic:

authorization: options.request.headers.authorization.replace(
  / .*$/, 
  " [REDACTED]"
)

The regular expression / .*$/ matches a space followed by any number of characters until the end of the line. This pattern is vulnerable to Regular Expression Denial of Service (ReDoS) when processing specially crafted input. Specifically, an attacker can send an authorization header containing a long sequence of spaces followed by a newline and "@", such as:

headers: {
  authorization: "" + " ".repeat(100000) + "\n@",
}

Due to the way JavaScript's regular expression engine backtracks while attempting to match the space followed by arbitrary characters, this input can cause excessive CPU usage, significantly slowing down or even freezing the server. This leads to a denial-of-service condition, impacting availability.

PoC

Details about @octokit/request-error@1.2.1

run npm i @octokit/request-error
run 'node poc.js' result:
then the program will stuck forever with high CPU usage

import { RequestError } from "@octokit/request-error";

const error = new RequestError("Oops", 500, {
  request: {
    method: "POST",
    url: "https://api.github.com/foo",
    body: {
      bar: "baz",
    },
    headers: {
      authorization: ""+" ".repeat(100000)+"\n@",
    },
  },
  response: {
    status: 500,
    url: "https://api.github.com/foo",
    headers: {
      "x-github-request-id": "1:2:3:4",
    },
    data: {
      foo: "bar",
    },
  },
});

Impact

Vulnerability Type & Impact:

This is a Regular Expression Denial of Service (ReDoS) vulnerability, which occurs due to an inefficient regular expression (/ .*$/) used to sanitize the authorization header. An attacker can craft a malicious input that triggers excessive backtracking in the regex engine, leading to high CPU consumption and potential denial-of-service (DoS).

Who is Impacted?

Projects or services using this code to process HTTP headers are vulnerable.
Applications that rely on user-supplied authorization headers are at risk, especially those processing a large volume of authentication requests.
Multi-tenant or API-driven platforms could experience degraded performance or service outages if exploited at scale.

Summary:

@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Details:

Summary

For the npm package @octokit/plugin-paginate-rest, when calling octokit.paginate.iterator(), a specially crafted octokit instance—particularly with a malicious link parameter in the headers section of the request—can trigger a ReDoS attack.

Details

The issue occurs at line 39 of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows:

url = ((normalizedResponse.headers.link || "").match(
  /<([^>]+)>;\s*rel="next"/,
) || [])[1];

The regular expression /<([^>]+)>;\s*rel="next"/ may lead to a potential backtracking vulnerability, resulting in a ReDoS (Regular Expression Denial of Service) attack. This could cause high CPU utilization and even service slowdowns or freezes when processing specially crafted Link headers.

PoC

Details about @octokit/plugin-paginate-rest@1.1.2

run npm i @octokit/plugin-paginate-rest
run 'node poc.js' result:
then the program will stuck forever with high CPU usage

import { Octokit } from "@octokit/core";
import { paginateRest } from "@octokit/plugin-paginate-rest";

const MyOctokit = Octokit.plugin(paginateRest);
const octokit = new MyOctokit({
  auth: "your-github-token",
});

// Intercept the request to inject a malicious 'link' header for ReDoS
octokit.hook.wrap("request", async (request, options) => {
  const maliciousLinkHeader = "" + "<".repeat(100000) + ">"; // attack string
  return {
    data: [],
    headers: {
      link: maliciousLinkHeader, // Inject malicious 'link' header
    },
  };
});

// Trigger the ReDoS attack by paginating through GitHub issues
(async () => {
  try {
    for await (const normalizedResponse of octokit.paginate.iterator(
      "GET /repos/{owner}/{repo}/issues", { owner: "DayShift", repo: "ReDos", per_page: 100 }
    )) {
      console.log({ normalizedResponse });
    }
  } catch (error) {
    console.error("Error encountered:", error);
  }
})();

Impact

What kind of vulnerability is it?

This is a Regular Expression Denial of Service (ReDoS) vulnerability, which occurs due to excessive backtracking in the regex pattern:

/<([^>]+)>;\s*rel="next"/

When processing a specially crafted Link header, this regex can cause significant performance degradation, leading to high CPU utilization and potential service unresponsiveness.

Who is impacted?

Users of @octokit/plugin-paginate-rest who call octokit.paginate.iterator() and process untrusted or manipulated Link headers.
Applications relying on Octokit's pagination mechanism, particularly those handling large volumes of API requests.
GitHub API consumers who integrate this package into their projects for paginated data retrieval.

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 15.9.1 of the package semantic-release.

All Security Vulnerabilities

All the vulnerabilities related to the version 15.9.1 of the package

Summary:

Secret disclosure when containing characters that become URI encoded

Details:

Impact

Secrets that would normally be masked by semantic-release can be accidentally disclosed if they contain characters that become encoded when included in a URL.

Patches

Fixed in v17.2.3

Workarounds

Secrets that do not contain characters that become encoded when included in a URL are already masked properly.

Details about semantic-release@15.9.1

Summary:

yargs-parser Vulnerable to Prototype Pollution

Details:

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

Details about yargs-parser@11.1.1

Summary:

Marked ReDoS due to email addresses being evaluated in quadratic time

Details:

Recommendation

Upgrade to version 0.6.2 or later.

Summary:

Regular Expression Denial of Service in marked

Details:

Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input.

Recommendation

Upgrade to version 0.7.0 or later.

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

Inefficient Regular Expression Complexity in marked

Details:

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

https://marked.js.org/using_advanced#workers
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

Summary:

semver-regex Regular Expression Denial of Service (ReDOS)

Details:

npm semver-regex is vulnerable to Inefficient Regular Expression Complexity

Summary:

Regular expression denial of service in semver-regex

Details:

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the semver-regex npm package, when an attacker is able to supply arbitrary input to the test() method

Summary:

Hostname confusion in parse-url

Details:

Exposure of Sensitive Information to an Unauthorized Actor via hostname confusion in GitHub repository ionicabizau/parse-url prior to 6.0.1

Summary:

Server-Side Request Forgery in parse-url

Details:

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Summary:

Cross site scripting in parse-url

Details:

Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to 7.0.0.

Summary:

Cross site scripting in parse-url

Details:

Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to 6.0.1

Summary:

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

Details:

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.

Summary:

parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing

Details:

Details about parse-path@3.0.4

Summary:

Authorization Bypass in parse-path

Details:

Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.

Summary:

Prototype Pollution in lodash

Details:

This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.

Details about lodash.set@4.3.2

Summary:

@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Details:

Summary

Details

fakeHeaders.set("link", "<".repeat(100000) + ">");
fakeHeaders.set("deprecation", "true");

const matches = responseHeaders.link && responseHeaders.link.match(/<([^>]+)>; rel="deprecation"/);

In this scenario, the link header value triggers the regex to perform excessive backtracking, resulting in resource exhaustion and potentially causing the service to become unavailable.

PoC

Details about @octokit/request@5.6.3

run npm i @octokit/request
run 'node poc.js' result:
then the program will stuck forever with high CPU usage

import { request } from "@octokit/request";
const originalFetch = globalThis.fetch;
globalThis.fetch = async (url, options) => {
  const response = await originalFetch(url, options);
  const fakeHeaders = new Headers(response.headers);
  fakeHeaders.set("link", "<".repeat(100000) + ">");
  fakeHeaders.set("deprecation", "true");
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: fakeHeaders
  });
};
request("GET /repos/octocat/hello-world")
  .then(response => {
    // console.log("[+] Response received:", response);
  })
  .catch(error => {
    // console.error("[-] Error:", error);
  });
// globalThis.fetch = originalFetch;

Impact

Web applications or APIs that rely on parsing headers for deprecation information.
Users interacting with the affected service, as they may experience delays or outages if the server becomes overwhelmed.
Service providers who may face disruption in operations or performance degradation due to this flaw. If left unpatched, the vulnerability can be exploited by any unauthenticated user who is able to send a specially crafted HTTP request with a malicious link header, making it a low-barrier attack that could be exploited by anyone.

Summary:

@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Details:

Summary

Details

authorization: options.request.headers.authorization.replace(
  / .*$/, 
  " [REDACTED]"
)

headers: {
  authorization: "" + " ".repeat(100000) + "\n@",
}

PoC

Details about @octokit/request-error@1.2.1

run npm i @octokit/request-error
run 'node poc.js' result:
then the program will stuck forever with high CPU usage

import { RequestError } from "@octokit/request-error";

const error = new RequestError("Oops", 500, {
  request: {
    method: "POST",
    url: "https://api.github.com/foo",
    body: {
      bar: "baz",
    },
    headers: {
      authorization: ""+" ".repeat(100000)+"\n@",
    },
  },
  response: {
    status: 500,
    url: "https://api.github.com/foo",
    headers: {
      "x-github-request-id": "1:2:3:4",
    },
    data: {
      foo: "bar",
    },
  },
});

Impact

Vulnerability Type & Impact:

Who is Impacted?

Projects or services using this code to process HTTP headers are vulnerable.
Applications that rely on user-supplied authorization headers are at risk, especially those processing a large volume of authentication requests.
Multi-tenant or API-driven platforms could experience degraded performance or service outages if exploited at scale.

Summary:

@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking

Details:

Summary

Details

The issue occurs at line 39 of iterator.ts in the @octokit/plugin-paginate-rest repository. The relevant code is as follows:

url = ((normalizedResponse.headers.link || "").match(
  /<([^>]+)>;\s*rel="next"/,
) || [])[1];

PoC