CVE-2022-21680

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/01/2022
Last modified:
07/11/2023

Description

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:* 4.0.10 (excluding)
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*