simple-markdown@0.5.3 vulnerabilities

Javascript markdown parsing, made simple

Direct Vulnerabilities

Known vulnerabilities in the simple-markdown package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Regular Expression Denial of Service (ReDoS)

simple-markdown is a markdown-like parser designed for simplicity and extensibility.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to certain patterns which will exhibit increased complexity, therefore leading to increased parsing duration.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade simple-markdown to version 0.6.1 or higher.

<0.6.1
  • M
Regular Expression Denial of Service (ReDoS)

simple-markdown is a markdown-like parser designed for simplicity and extensibility.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing of complex quadratic documents with may cause a slowdown of 7174ms seconds due to parsing, and could result in Denial of Service.

PoC

<script src="simple-markdown.min.js"></script>
<script>
var str = "<".repeat(2000)+":/".repeat(1500);
var t1 = performance.now();
SimpleMarkdown.defaultInlineParse(str);
var t2 = performance.now();
document.write(str.length+" bytes, "+(t2-t1)+"ms");
</script>

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade simple-markdown to version 0.6.1 or higher.

<0.6.1