CVE-2022-21681
Denial of service vulnerability in marked (npm)
What is CVE-2022-21681 About?
This vulnerability is a Denial of Service (DoS) caused by an Inefficient Regular Expression Complexity (ReDoS) within the `inline.reflinkSearch` regular expression in the Mark.js library. Processing specially crafted markdown input can lead to catastrophic backtracking, consuming excessive CPU resources and rendering the service unresponsive. It is moderately easy to exploit, requiring only a specific malicious markdown input.
Affected Software
Technical Details
The vulnerability in the marked library (Mark.js) is due to an inefficient regular expression, specifically inline.reflinkSearch. This regex, when applied to certain crafted input strings containing complex nested patterns like \[\](\[\](\[\](...)))), exhibits catastrophic backtracking. This means that the time complexity for the regex engine to evaluate the input grows exponentially with the length of the string. An attacker can send a relatively small but specially formed markdown string, forcing the server to spend excessive CPU cycles on regex evaluation, thereby leading to a denial of service for the markdown parsing component and potentially the entire application.
What is the Impact of CVE-2022-21681?
Successful exploitation may allow attackers to cause a denial of service by forcing the application to consume excessive CPU resources, leading to unresponsiveness or crashes, thereby disrupting service availability.
What is the Exploitability of CVE-2022-21681?
Exploitation involves providing a specially crafted markdown string that triggers catastrophic backtracking in the inline.reflinkSearch regular expression of the marked library. This is a low-to-moderate complexity attack. No authentication is typically needed if the application accepts untrusted markdown input from any source. Privilege requirements are minimal, as the attack targets the parsing function itself. This is a remote access vulnerability if the application exposes a way to submit markdown, such as through user comments or content submission. Special conditions include the application processing untrusted markdown without using a worker with a time limit. Risk factors that increase exploitation likelihood include publicly accessible interfaces that parse user-supplied markdown content without applying resource limits or robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21681?
About the Fix from Resolved Security
This patch tightens the regular expressions used for Markdown reference labels and links to prevent excessive backtracking and catastrophic regular expression performance, which could lead to Regular Expression Denial of Service (ReDoS). By making the patterns more specific and less permissive, the patch addresses the root cause of CVE-2022-21681, which was exploitable via crafted input that caused slow processing and potential DoS.
Available Upgrade Options
- marked
- <4.0.10 → Upgrade to 4.0.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://osv.dev/vulnerability/GHSA-5v2h-r2cx-5xgj
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
- https://github.com/markedjs/marked
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX
- https://nvd.nist.gov/vuln/detail/CVE-2022-21681
What are Similar Vulnerabilities to CVE-2022-21681?
Similar Vulnerabilities: CVE-2021-3749 , CVE-2021-42340 , CVE-2021-27515 , CVE-2020-28198 , CVE-2020-8260
