CVE-2022-21680

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Configurations

Configuration 1

cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Information

Published : 2022-01-14 05:15

Updated : 2022-11-16 03:27


NVD link : CVE-2022-21680

Mitre link : CVE-2022-21680

Products Affected
No products.
CWE
CWE-1333

Inefficient Regular Expression Complexity

CWE-400