CVE-2022-21680
Denial of service vulnerability in marked (npm)
What is CVE-2022-21680 About?
This vulnerability is a Denial of Service (DoS) caused by a catastrophic backtracking bug in the 'marked' library's regular expression (`block.def`). It allows attackers to exhaust system resources by providing a specially crafted markdown string, leading to a service outage. Exploiting this is relatively easy for an attacker who can supply untrusted input to the 'marked' parser.
Affected Software
Technical Details
The vulnerability resides in the block.def regular expression within the 'marked' library. When processing certain specially crafted strings, such as [x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x, the regular expression engine enters a state of catastrophic backtracking. This means the engine tries an excessive number of permutations to match the input, consuming exponential amounts of CPU time and memory. An attacker providing such an input to a system using 'marked' for parsing untrusted markdown can cause the parsing process to hang indefinitely, effectively leading to a denial of service by exhausting computing resources.
What is the Impact of CVE-2022-21680?
Successful exploitation may allow attackers to disrupt service availability by causing applications to become unresponsive or crash, leading to a denial of service.
What is the Exploitability of CVE-2022-21680?
Exploitation involves providing a specially crafted input string to the vulnerable markdown parser. The complexity is low as it primarily requires the ability to submit untrusted markdown content. There are no specific authentication or privilege requirements beyond the ability to interact with the application that processes markdown. This is a remote exploit if the markdown input can be provided remotely. The primary risk factor is the application's acceptance and processing of user-supplied or untrusted markdown content without proper resource limits or sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21680?
About the Fix from Resolved Security
This patch modifies regular expressions used for parsing link and reference labels to prevent catastrophic backtracking and excessive computation on crafted malicious input, addressing a regular expression denial of service (ReDoS) vulnerability. By tightening and restructuring the regex patterns for label parsing, it mitigates the risk of performance degradation when processing specially crafted Markdown, thereby fixing CVE-2022-21680.
Available Upgrade Options
- marked
- <4.0.10 → Upgrade to 4.0.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://osv.dev/vulnerability/GHSA-rrrm-qjm4-v8hf
- https://github.com/markedjs/marked/releases/tag/v4.0.10
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX
- https://github.com/markedjs/marked
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
- https://nvd.nist.gov/vuln/detail/CVE-2022-21680
What are Similar Vulnerabilities to CVE-2022-21680?
Similar Vulnerabilities: CVE-2021-3822 , CVE-2021-33623 , CVE-2021-3777 , CVE-2016-10707 , CVE-2021-23395
