Skip to content

Regular Expression Denial of Service in marked

High severity GitHub Reviewed Published Jul 24, 2018 • Updated Jan 8, 2021

Package

npm marked (npm)

Affected versions

< 0.3.9

Patched versions

0.3.9

Description

Affected versions of marked are vulnerable to a regular expression denial of service.

The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.

Recommendation

Update to version 0.3.9 or later.

References

CVE ID

CVE-2017-16114