EIQ-2019-0029



ID

EIQ-2019-0029

CVE

-

Description

marked is vulnerable to regular expression denial of service

Date

01 Aug 2019

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.6.0

Assessment

marked versions from 0.4.0 to 0.6.3 included are vulnerable to regular expression denial of service (ReDoS).

It may take quadratic time for the _label_ sub-rule to parse malformed input when using back quotes/back ticks (`).
This may result in a denial of service (CPU consumption).

Mitigation

Upgrade marked to version 0.7.0 or later.

At the moment, it is not possible to globally upgrade marked, because it occurs at least once as a sub-dependency.
Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.
We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

2.5.0 and earlier.

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.5.0

In release notes 2.6.0