GMS-2020-777: Regular Expression Denial of Service in simple-markdown

September 3, 2020 (updated September 29, 2021)

Versions of simple-markdown prior to 0.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS). The SimpleMarkdown.defaultInlineParse() function has significantly degraded performance when parsing inline code blocks.

Recommendation

Upgrade to version 0.5.2 or later.

References

github.com/Khan/simple-markdown/issues/71
github.com/advisories/GHSA-4xf9-pgvv-xx67
snyk.io/vuln/SNYK-JS-SIMPLEMARKDOWN-460540
www.npmjs.com/advisories/1147

Code Behaviors & Features

Detect and mitigate GMS-2020-777 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →