GMS-2019-134: Regular Expression Denial of Service in marked

June 5, 2019 (updated August 2, 2022)

Versions of marked prior to 0.6.2 and later than 0.3.14 is vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.

Recommendation

Upgrade to version 0.6.2 or later.

References

github.com/advisories/GHSA-xf5p-87ch-gxw2
github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d
github.com/markedjs/marked/issues/1070
github.com/markedjs/marked/pull/1460
snyk.io/vuln/SNYK-JS-MARKED-174116
www.npmjs.com/advisories/812

Code Behaviors & Features

Detect and mitigate GMS-2019-134 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →