CVE-2017-16114

Vulnerability

The marked npm module is a Markdown parser and compiler. Versions prior to 0.3.9 contain a regular expression denial of service (ReDoS) vulnerability in the regular expression /^(+)\s*([\s\S]*?[^])\s*\1(?!)/` used when parsing inline code spans [3]. An attacker can craft input that causes catastrophic backtracking, leading to exponential processing time. The issue was publicly reported and confirmed in GitHub issue #937 [3].

Exploitation

An attacker does not need any special privileges or network position beyond the ability to supply Markdown content to the application that uses the marked library. By providing a specially crafted string containing backtick characters and whitespace, the vulnerable regular expression enters a state of excessive backtracking. According to the public issue, a payload of about 1,000 characters can cause the parser to block for approximately 6 seconds [1]. The attacker can repeatedly trigger this to exhaust server resources.

Impact

Successful exploitation causes a denial of service: the Node.js event loop is blocked during the regex evaluation, preventing the application from handling other requests. The impact is limited to availability; no code execution, privilege escalation, or information disclosure occurs. The CVSS v3.1 base score is 7.5 (High) under vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [1].

Mitigation

Users should upgrade marked to version 0.3.9 or later, which was released to fix the ReDoS vulnerability [2]. No workaround is available; applications processing untrusted Markdown input are strongly advised to update immediately. The CVE-2017-16114 is not listed on the CISA Known Exploited Vulnerabilities catalog as of the publication date.