GMS-2020-366: Regular Expression Denial of Service in markdown

September 4, 2020

All versions of markdown are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to Denial of Service if the parser accepts user input. No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-wx77-rp39-c6vg
www.npmjs.com/advisories/1330

Detect and mitigate GMS-2020-366 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →