Advisories for Npm/Marked package

2022

Inefficient Regular Expression Complexity

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to …

Inefficient Regular Expression Complexity

The regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time …

2021

Uncontrolled Resource Consumption

Marked is an open-source markdown parser and compiler. In marked from and, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed

2020
2019

Regular Expression Denial of Service in marked

Versions of marked prior to 0.6.2 and later than 0.3.14 is vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. Recommendation Upgrade to version 0.6.2 or later.

2018

Cross-site Scripting

Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

2017

Regular Expression Denial of Service in marked

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."

2016

Sanitization bypass using HTML Entities

Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

2015

VBScript Content Injection

Marked is vulnerable to content injection even when sanitize: true is enabled. [xss link](vbscript:alert(1&#41;) will get a link <a href="vbscript:alert(1)">xss link</a> this script does not work in IE edge mode, but works in IE compatibility view.

2014

Marked multiple content injection vulnerabilities

Marked comes with an option to sanitize user output to help protect against content injection attacks. sanitize: true Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations - gfm codeblocks (language) - javascript url's