15.0.3
13 years ago
12 days ago
Known vulnerabilities in the marked package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when unsanitized user input is passed to How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <4.0.10 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when passing unsanitized user input to How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <4.0.10 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <1.1.1 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). A Denial of Service condition could be triggered through exploitation of the How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <0.4.0 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 150 characters long. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <0.3.18 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). When mangling is disabled via option For example:
will render:
How to fix Cross-site Scripting (XSS)? Upgrade | <0.3.9 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Browsers support both lowercase and uppercase x in hexadecimal form of HTML character entity, but marked unescaped only lowercase. This may allow an attacker to create a link with javascript code. For example:
will render the following:
How to fix Cross-site Scripting (XSS)? Upgrade | <0.3.9 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing the input markdown content (1,000 characters costs around 6 seconds matching time). How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <0.3.9 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Data URIs enable embedding small files in line in HTML documents, provided in the URL itself. Attackers can craft malicious web pages containing either HTML or script code that utilizes the data URI scheme, allowing them to bypass access controls or steal sensitive information. An example of data URI used to deliver javascript code. The data holds
How to fix Cross-site Scripting (XSS)? Upgrade | <0.3.7 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to VBScript Content Injection. will get a link
This script does not work in IE 11 edge mode, but works in IE 10 compatibility view. How to fix VBScript Content Injection? Upgrade | <0.3.3 |
Marked comes with an option to sanitize user output to help protect against content injection attacks. sanitize: true Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations
Source: Node Security Project Note: CVE-2014-1850 is a duplicate of CVE-2014-3743 How to fix Multiple Content Injection Vulnerabilities? Upgrade to version 0.3.1 or later | <0.3.1 |
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when certain types of input are passed in to be parsed. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <0.3.4 |