Skip to content

Regular Expression Denial of Service in marked

Moderate severity GitHub Reviewed Published Jun 5, 2019 • Updated Aug 4, 2021

Package

npm marked (npm)

Affected versions

< 0.3.18

Patched versions

0.3.18

Description

Versions of marked prior to 0.6.2 and later than 0.3.14 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Recommendation

Upgrade to version 0.6.2 or later.

References

GHSA ID

GHSA-xf5p-87ch-gxw2

CVSS Score

5.3 Moderate
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L