|2 via 3 paths|
Find, fix and prevent vulnerabilities in your code.
- Vulnerable module: marked
- Introduced through: email@example.com and firstname.lastname@example.org
Introduced through: email@example.com › firstname.lastname@example.org › email@example.comRemediation: Upgrade to firstname.lastname@example.org.
Introduced through: email@example.com › firstname.lastname@example.org › email@example.com › firstname.lastname@example.orgRemediation: Upgrade to email@example.com.
marked is a low-level compiler for parsing markdown without caching or blocking for long periods of time.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). 3 or more groups of odd and even numbered consecutive underscores (
___) followed by a character causes extended processing.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'
(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the
+matches one or more times). The
+at the end of this section states that we can look for one or more matches of this section.
DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as
It most cases, it doesn't take very long for a regex engine to find a match:
From there, the number of steps the engine must use to validate a string just continues to grow.
|String||Number of C's||Number of steps|
marked to version 2.0.0 or higher.
- Vulnerable module: axios
- Introduced through: firstname.lastname@example.org
Introduced through: email@example.com › firstname.lastname@example.org › email@example.comRemediation: Upgrade to firstname.lastname@example.org.
axios is a promise based HTTP client for the browser and node.js.
Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF). An attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
axios to version 0.21.1 or higher.