simple-markdown@0.3.1 vulnerabilities

Javascript markdown parsing, made simple

latest version

0.7.3
latest non vulnerable version

1.0.0-alpha.0
first published

9 years ago
latest version published

3 years ago
licenses detected
- MIT
  >=0
View simple-markdown package health on Snyk Advisor Open this link in a new tab

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the simple-markdown package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) simple-markdown is a markdown-like parser designed for simplicity and extensibility. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to certain patterns which will exhibit increased complexity, therefore leading to increased parsing duration. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `simple-markdown` to version 0.6.1 or higher.	<0.6.1
M Regular Expression Denial of Service (ReDoS) simple-markdown is a markdown-like parser designed for simplicity and extensibility. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) such that spaces will be parsed as part of the `\s`s or as part of the `[\S\s]`, which leads to catastrophic backtracking in the case of a string with many spaces. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `simple-markdown` to version 0.5.2 or higher.	<0.5.2
M Regular Expression Denial of Service (ReDoS) simple-markdown is a markdown-like parser designed for simplicity and extensibility. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Parsing of complex quadratic documents with may cause a slowdown of `7174ms` seconds due to parsing, and could result in Denial of Service. PoC `<script src="simple-markdown.min.js"></script> <script> var str = "<".repeat(2000)+":/".repeat(1500); var t1 = performance.now(); SimpleMarkdown.defaultInlineParse(str); var t2 = performance.now(); document.write(str.length+" bytes, "+(t2-t1)+"ms"); </script>` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `simple-markdown` to version 0.6.1 or higher.	<0.6.1
M Regular Expression Denial of Service (ReDoS) simple-markdown is a markdown-like parser designed for simplicity and extensibility. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via inline code blocks. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `simple-markdown` to version 0.5.2 or higher.	<0.5.2
M Cross-site Scripting (XSS) simple-markdown is a markdown-like parser designed for simplicity and extensibility. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the data of a vbscript link when base64 encoded. POC `var SimpleMarkdown = require("simple-markdown"); var mdOutput = SimpleMarkdown.defaultHtmlOutput; var implicitParse = SimpleMarkdown.defaultImplicitParse; var syntaxTree = implicitParse( "Test payload - [link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=)" ); var parsed_payload = mdOutput(syntaxTree); document.getElementById("app").innerHTML = parsed_payload;` How to fix Cross-site Scripting (XSS)? Upgrade `simple-markdown` to version 0.4.4 or higher.	<0.4.4

Go back to all versions of this package

simple-markdown@0.3.1 vulnerabilities

Javascript markdown parsing, made simple

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

PoC

POC