GMS-2020-368: Denial of Service in markdown-it-toc-and-anchor

September 1, 2020 (updated September 24, 2021)

All versions of markdown-it-toc-and-anchor are vulnerable to Denial of Service. Parsing markdown containing **text**+@[toc] causes the application to enter and infinite loop. No fix is currently available. Consider using an alternative module until a fix is made available.

References

github.com/advisories/GHSA-x6m6-5hrf-fh6r
github.com/medfreeman/markdown-it-toc-and-anchor
snyk.io/vuln/SNYK-JS-MARKDOWNITTOCANDANCHOR-73500
www.npmjs.com/advisories/749

Detect and mitigate GMS-2020-368 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →