High severityNVD Advisory· Published Jan 14, 2022· Updated Apr 22, 2025
Exponential catastrophic backtracking (ReDoS) in marked
CVE-2022-21681
Description
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markednpm | < 4.0.10 | 4.0.10 |
Affected products
2- Range: < 4.0.10
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-5v2h-r2cx-5xgjghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-21681ghsaADVISORY
- github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5ghsaWEB
- github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0ghsaWEB
- github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgjghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UXghsaWEB
News mentions
0No linked articles in our index yet.