Bug 1926866 (CVE-2021-21306) - CVE-2021-21306 nodejs-marked: Regular expression denial of service
Summary: CVE-2021-21306 nodejs-marked: Regular expression denial of service
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-21306
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1926872 1926870 1926871 1927209
Blocks: 1926874
TreeView+ depends on / blocked
 
Reported: 2021-02-09 15:19 UTC by Pedro Sampaio
Modified: 2023-08-31 08:58 UTC (History)
19 users (show)

Fixed In Version: nodejs-marked 2.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-28 08:47:13 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-09 15:19:03 UTC 
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

References:

https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
https://github.com/markedjs/marked/issues/1927
https://github.com/markedjs/marked/pull/1864
https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
https://www.npmjs.com/package/marked
Comment 1 Pedro Sampaio 2021-02-09 15:27:51 UTC 
Created marked tracking bugs for this issue:

Affects: epel-all [bug 1926872]
Affects: fedora-all [bug 1926871]


Created nodejs-marked tracking bugs for this issue:

Affects: fedora-32 [bug 1926870]
Comment 5 Przemyslaw Roguski 2021-02-15 11:14:47 UTC 
Affected versions >=1.1.2 and <2.0.0,
see: https://github.com/markedjs/marked/issues/1927#issuecomment-773728733
Note You need to log in before you can comment on or make changes to this bug.