EIQ-2019-0024



ID

EIQ-2019-0024

CVE

-

Description

marked is vulnerable to regular expression denial of service

Date

29 Apr 2019

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.5.0

Assessment

marked versions 0.3.14 and later, and versions 0.6.1 and earlier, is vulnerable to regular expression denial of service (ReDoS).

It may take quadratic time for the inline.text regex to scan for possible email addresses.
This may result in a denial of service (CPU consumption).

Mitigation

Upgrade marked to version 0.6.2 or later.

Affected versions

2.3.4 and 2.4.0

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.4.0

In release notes 2.5.0