org.webjars.bower:markdown-it 4.2.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.bower:markdown-it package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) org.webjars.bower:markdown-it is a modern pluggable markdown parser. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `/s+$/` in line 23 of `lib/rules_inline/newline.js`. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as `markdown-it` handles `Markdown`, would be passed over the network, resulting in significant computational time. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `org.webjars.bower:markdown-it`.	[0,)
M Regular Expression Denial of Service (ReDoS) org.webjars.bower:markdown-it is a modern pluggable markdown parser. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing _*… takes quadratic time, this could be a denial of service vulnerability in an application that parses user input. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `org.webjars.bower:markdown-it`.	[0,)
M Cross-site Scripting (XSS) `markdown-it` is a modern pluggable markdown parser. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via Class Injection. The markdown-it renderer blindly appends the character class to the `language-` part of the tag. If there is a space in the language name, it'll be rendered into two separate classes. \`\`\` foo bar code \`\`\` will be rendered into `<pre><code style="language-foo bar"> code </code></pre>` A malicious user can attach an arbitrary class to the `code` tag. How to fix Cross-site Scripting (XSS)? Upgrade `markdown-it` to version 4.3.1 or higher.	[4.0.0,4.3.1)

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

org.webjars.bower:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the /s+$/ in line 23 of lib/rules_inline/newline.js. This expression is used to remove trailing whitespaces from a string, however, it also matches non-trailing whitespaces. In the worst-case scenario, the matching process would take computation time proportional to the square of the length of the non-trailing whitespaces. It is possible that a string containing more than tens of thousands characters, as markdown-it handles Markdown, would be passed over the network, resulting in significant computational time.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for org.webjars.bower:markdown-it.

[0,)

Regular Expression Denial of Service (ReDoS)

org.webjars.bower:markdown-it is a modern pluggable markdown parser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing _*… takes quadratic time, this could be a denial of service vulnerability in an application that parses user input.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for org.webjars.bower:markdown-it.

[0,)

Cross-site Scripting (XSS)

markdown-it is a modern pluggable markdown parser.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) via Class Injection.

The markdown-it renderer blindly appends the character class to the language- part of the tag. If there is a space in the language name, it'll be rendered into two separate classes.

\`\`\`
foo&#x20;bar
code
\`\`\`

will be rendered into

<pre><code style="language-foo bar">
code
</code></pre>

A malicious user can attach an arbitrary class to the code tag.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown-it to version 4.3.1 or higher.

[4.0.0,4.3.1)

org.webjars.bower:markdown-it@4.2.0 vulnerabilities

latest version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?