GHSA-xf5p-87ch-gxw2 – marked

Package

Manager: npm
Name: marked
Vulnerable Version: >=0.3.14 <0.6.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Marked ReDoS due to email addresses being evaluated in quadratic time Versions of `marked` from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion. ## Recommendation Upgrade to version 0.6.2 or later.

Metadata

Created: 2019-06-05T14:10:03Z
Modified: 2022-08-02T17:43:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/06/GHSA-xf5p-87ch-gxw2/GHSA-xf5p-87ch-gxw2.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F002
Auto approve: 1