GHSA-xf5p-87ch-gxw2

Опубликовано: 05 июн. 2019

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

Marked ReDoS due to email addresses being evaluated in quadratic time

Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Recommendation

Upgrade to version 0.6.2 or later.

Ссылки

https://github.com/markedjs/marked/pull/1460
https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d
https://github.com/markedjs/marked/releases/tag/v0.6.2
https://snyk.io/vuln/SNYK-JS-MARKED-174116
https://www.npmjs.com/advisories/812

Пакеты

Наименование

marked

npm

Затронутые версииВерсия исправления

>= 0.3.14, < 0.6.2

0.6.2

5.3 Medium

CVSS3

Дефекты

CWE-400

5.3 Medium

CVSS3

Дефекты

CWE-400