CVE-2017-16114
regular expression denial of service vulnerability in marked (npm)
What is CVE-2017-16114 About?
This vulnerability is a regular expression denial of service (ReDoS) affecting affected versions of `marked`. It causes the event loop to be blocked for a significant duration, leading to service disruption. Exploitation is relatively easy, requiring only specially crafted input.
Affected Software
Technical Details
The vulnerability stems from an inefficient regular expression within the marked library. When a specially crafted input string is processed by this regex, it triggers excessive backtracking, leading to a significant increase in processing time. The description notes that 1,000 characters can block the event loop for around 6 seconds, indicating a high amplification factor where processing time grows super-linearly with input size, effectively locking up the application by consuming all available CPU resources.
What is the Impact of CVE-2017-16114?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application unresponsive to legitimate users.
What is the Exploitability of CVE-2017-16114?
Exploitation of this vulnerability is of low complexity. It requires no authentication or specific privileges, as it targets a client-side parsing library which is typically used to render user-provided content. The attack is remote, simply requiring the attacker to provide a malicious string as input to the marked library. The primary risk factor is any application that processes untrusted or user-controlled input through the vulnerable marked library version, as the specially crafted regular expression input can easily trigger the denial of service.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2017-16114?
About the Fix from Resolved Security
Available Upgrade Options
- marked
- <0.3.9 → Upgrade to 0.3.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2017-16114
- https://osv.dev/vulnerability/GHSA-x5pg-88wf-qq4p
- https://www.npmjs.com/advisories/531
- https://github.com/advisories/GHSA-x5pg-88wf-qq4p
- https://github.com/chjj/marked/issues/937
- https://nodesecurity.io/advisories/531
- https://github.com/chjj/marked/issues/937
What are Similar Vulnerabilities to CVE-2017-16114?
Similar Vulnerabilities: CVE-2016-4055 , CVE-2017-15944 , CVE-2019-10741 , CVE-2020-28283 , CVE-2021-3918
