EIQ-2019-0029#

ID	EIQ-2019-0029
CVE	-
Description	marked is vulnerable to regular expression denial of service
Date	01 Aug 2019
Severity	2 - MEDIUM
CVSSv3 score	CVSSv3 score not available on NIST NVD.
Status	✅ 2.6.0
Assessment	marked versions from 0.4.0 to 0.6.3 included are vulnerable to regular expression denial of service (ReDoS). It may take quadratic time for the `_label_` sub-rule to parse malformed input when using back quotes/back ticks (`). This may result in a denial of service (CPU consumption).
Mitigation	Upgrade marked to version 0.7.0 or later. At the moment, it is not possible to globally upgrade marked, because it occurs at least once as a sub-dependency. Sub-dependencies are indirect dependencies of other third-party dependencies. We cannot control these dependencies. We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.
Affected versions	2.5.0 and earlier.
Notes	For more information, see: npm security advisory about the vulnerability Snyk report about the vulnerability GitHub issue GitHub PR with the fix