simple-markdown@0.3.2 vulnerabilities

Javascript markdown parsing, made simple

  • latest version

    0.7.3

  • latest non vulnerable version

  • first published

    9 years ago

  • latest version published

    3 years ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the simple-markdown package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Regular Expression Denial of Service (ReDoS)

    simple-markdown is a markdown-like parser designed for simplicity and extensibility.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to certain patterns which will exhibit increased complexity, therefore leading to increased parsing duration.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade simple-markdown to version 0.6.1 or higher.

    <0.6.1
    • M
    Regular Expression Denial of Service (ReDoS)

    simple-markdown is a markdown-like parser designed for simplicity and extensibility.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) such that spaces will be parsed as part of the \s*s or as part of the [\S\s]*, which leads to catastrophic backtracking in the case of a string with many spaces.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade simple-markdown to version 0.5.2 or higher.

    <0.5.2
    • M
    Regular Expression Denial of Service (ReDoS)

    simple-markdown is a markdown-like parser designed for simplicity and extensibility.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing of complex quadratic documents with may cause a slowdown of 7174ms seconds due to parsing, and could result in Denial of Service.

    PoC

    <script src="simple-markdown.min.js"></script>
    <script>
    var str = "<".repeat(2000)+":/".repeat(1500);
    var t1 = performance.now();
    SimpleMarkdown.defaultInlineParse(str);
    var t2 = performance.now();
    document.write(str.length+" bytes, "+(t2-t1)+"ms");
    </script>
    

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade simple-markdown to version 0.6.1 or higher.

    <0.6.1
    • M
    Regular Expression Denial of Service (ReDoS)

    simple-markdown is a markdown-like parser designed for simplicity and extensibility.

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via inline code blocks.

    How to fix Regular Expression Denial of Service (ReDoS)?

    Upgrade simple-markdown to version 0.5.2 or higher.

    <0.5.2
    • M
    Cross-site Scripting (XSS)

    simple-markdown is a markdown-like parser designed for simplicity and extensibility.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the data of a vbscript link when base64 encoded.

    POC

    var SimpleMarkdown = require("simple-markdown");
    var mdOutput = SimpleMarkdown.defaultHtmlOutput;
    var implicitParse = SimpleMarkdown.defaultImplicitParse;
    var syntaxTree = implicitParse(
      "Test payload - [link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=)"
    );
    var parsed_payload = mdOutput(syntaxTree);
    
    document.getElementById("app").innerHTML = parsed_payload;
    

    How to fix Cross-site Scripting (XSS)?

    Upgrade simple-markdown to version 0.4.4 or higher.

    <0.4.4