CVE-2021-21306 Denial of Service in Marked

2021-02-0821:20:18

CWE-400

GitHub_M

www.cve.org

marked

markdown

parser

compiler

cve-2021-21306

vulnerability

regular expression

denial of service

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.002

Percentile

56.0%

JSON

Marked is an open-source markdown parser and compiler (npm package “marked”). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

CNA Affected

[
  {
    "product": "marked",
    "vendor": "markedjs",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.1.1, < 2.0.0"
      }
    ]
  }
]