CVE-2018-25110

NameCVE-2018-25110
DescriptionMarked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-marked (PTS)bullseye0.8.0+ds+repack-2fixed
bookworm4.2.3+ds+~4.0.7-2fixed
sid, trixie4.2.3+ds+~4.0.7-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-markedsource(unstable)0.5.1+dfsg-1

Notes

https://github.com/markedjs/marked/issues/1070
https://github.com/markedjs/marked/pull/1083
Fixed by: https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d (v0.3.18)
Fixed by: https://github.com/markedjs/marked/commit/2846212bb025d483690b95a007994d0d027ed056 (v0.3.18)
Search for package or bug name: Reporting problems