CVE-2022-21680: Marked Markdown Parser ReDoS Vulnerability and How to Mitigate It

CVE-2022-21680 is a security vulnerability affecting the popular marked package, a markdown parser and compiler widely used in many web applications. This vulnerability results in a Regular Expression Denial of Service (ReDoS) attack. It has the potential to cause considerable performance issues for applications that process untrusted markdown content using vulnerable versions of marked (prior to 4..10), especially those that do not run their jobs in worker threads with time limits.

Discovery

The issue was identified by a security researcher and published through GitHub on the official marked repository. You can find more information by visiting the original GitHub issue here: CVE-2022-21680 - Issue #2386.

Details

This vulnerability lies in the block.def regular expression, which exhibits catastrophic backtracking against specific strings, leading to ReDoS. To understand what this means, let us examine the regular expression and the problematic input affected by this issue.

The block.def regular expression is

/^ *\[([^\]]+)\]: *<?([^\s>]+)>?(?:\s+['"](.*?)['"])?\s*(?=\n+\s*(?:\n\S|\s*$))/gm

This pattern aims to match link definitions, but the backtracking issue can cause performance degradation for certain input strings.

With this vulnerability, an attacker can exploit the affected systems by submitting a specially crafted markdown string, and the marked library may consume an excessive amount of resources trying to match the regex, leading to performance issues or denial of service attacks.

Affected Versions

All versions of marked prior to version 4..10 are affected by this vulnerability.

Patched Version

This issue has been patched in version 4..10. You can find the specific release and patch details on GitHub: Release v4..10.

Upgrade marked to version 4..10 or later

Update your project's dependencies to use the patched version of marked. In your package.json, modify the dependencies section to specify the upgraded version:

"marked": "^4..10"

}

Avoid processing untrusted markdown content

If possible, refrain from allowing users to input markdown content that the application later processes using the marked library. Only parse trusted markdown content or find alternative methods for managing user-generated content.

Run marked in a worker thread with a time limit

To limit the resources consumed by the marked library while processing potentially malicious input, consider using a worker thread to run the markdown parsing job. Set a reasonable time limit for the worker thread to complete the task. This precaution can help prevent the entire application from becoming unresponsive due to CPU-intensive regex backtracking.

Conclusion

It is essential to stay up-to-date with the latest patches and releases for the dependencies your project relies on, especially those with security implications, like this ReDoS vulnerability in marked. Regularly auditing dependencies for known vulnerabilities can help you ensure the overall security and performance of your applications.

Timeline

Published on: 01/14/2022 17:15:00 UTC
Last modified on: 01/24/2022 19:31:00 UTC