Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged

Filter by:

With package: haskellPackages.yaml-marked

Found 1 matching suggestions

View:

Compact

Detailed

Permalink CVE-2018-25110

created 6 months ago

Regular Expression Denial of Service (ReDoS) in markedjs/marked

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

References

https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd… patch
https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/C… exploit
https://github.com/markedjs/marked/issues/1070 issue-tracking
https://github.com/markedjs/marked/pull/1083 issue-tracking

Affected products

marked

<0.3.17

Matching in nixpkgs

pkgs.marked-man

Markdown to roff wrapper around marked

nixos-unstable -
- nixpkgs-unstable 2.1.0

pkgs.haskellPackages.yaml-marked

Support for parsing and rendering YAML documents with marks

nixos-unstable -
- nixpkgs-unstable 0.2.0.1

Package maintainers

@Atemu Atemu <nixpkgs@mail.atemu.net>

1