Marked Regular Expression Denial-of-Service Vulnerability

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the NPM package 'marked', prior to version 0.3.17. This vulnerability arises from catastrophic backtracking in several regular expressions used to parse HTML tags and markdown links. An attacker can exploit this issue by sending specially crafted markdown input that includes deeply nested or repetitively structured brackets or tag attributes, causing the parser to hang and leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the application to hang and consume resources for an extended period, disrupting normal operations.

Reproduction

To reproduce this vulnerability, install a vulnerable version of 'marked' (specifically 0.3.16) and use the 'index.js' file included in the proof-of-concept repository. This file demonstrates the exploitation by sending a markdown input that triggers the catastrophic backtracking in the regular expressions, causing the application to hang. The 'real_example.txt' file can also be used to replicate the issue.

Remediation

Users can upgrade to 'marked' version 0.4.0 or later, where this vulnerability has been fixed.