markdown2@2.3.7 vulnerabilities

A fast and complete Python implementation of Markdown

Direct Vulnerabilities

Known vulnerabilities in the markdown2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization for nested incomplete tags.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.4.4 or higher.

[,2.4.4)
  • M
Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regex \*\*(?=\S)(.+?[*_]*)(?<=\S)\*\*. Exploiting this vulnerability will result in catastrophic backtracking

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.11 or higher.

[,2.4.11)
  • M
Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which bypass on any HTML element by using a new line that does not match to .+.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.4.4 or higher.

[0,2.4.4)
  • M
Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regex via the _prepare_pyshell_blocks function.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.3 or higher.

[,2.4.3)
  • M
Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via auto linking url.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.2 or higher.

[,2.4.2)
  • H
Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the _do_headers function.

PoC:

import markdown2

markdown2.markdown(' '*100000+'$')

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.1 or higher.

[,2.4.1)
  • H
Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, it is possible to make markdown2 get stuck processing for an exponential time.

PoC

markdown2.markdown('[#a' + ' ' * 3456, extras=['numbering'])

markdown2.markdown('```' + '\n' * 3456, extras=['fenced-code-blocks'])

markdown2.markdown('-*-' + ' ' * 3456, use_file_vars=True)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.0 or higher.

[1.0.1.18,2.4.0)
  • H
Cross Site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross Site Scripting (XSS) via link_text in markdown2.py

How to fix Cross Site Scripting (XSS)?

Upgrade markdown2 to version 2.3.9 or higher.

[,2.3.9)
  • H
Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.3.9 or higher.

[0,2.3.9)