EIQ-2019-0029#

ID

EIQ-2019-0029

CVE

-

Description

marked is vulnerable to regular expression denial of service

Date

01 Aug 2019

Severity

2 - MEDIUM

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

✅ 2.6.0

Assessment

marked versions from 0.4.0 to 0.6.3 included are vulnerable to regular expression denial of service (ReDoS).

It may take quadratic time for the _label_ sub-rule to parse malformed input when using back quotes/back ticks (`).

This may result in a denial of service (CPU consumption).

Mitigation

Upgrade marked to version 0.7.0 or later.

At the moment, it is not possible to globally upgrade marked, because it occurs at least once as a sub-dependency.

Sub-dependencies are indirect dependencies of other third-party dependencies.

We cannot control these dependencies.

We address these issues as soon as eligible third-party patches become available through their respective vendors, owners, or official maintainers.

Affected versions

2.5.0 and earlier.

Notes

For more information, see: