gitdown icon indicating copy to clipboard operation
gitdown copied to clipboard
verified publisher icon gajus

Vulnerability due to dependency on outdated version of "marked" (WS-2020-0163, CVE-2021-21306, CVE-2022-21681)

Open WilliamRADFunk opened this issue 3 years ago • 1 comments

https://security-tracker.debian.org/tracker/CVE-2022-21681 https://nvd.nist.gov/vuln/detail/CVE-2021-21306 https://snyk.io/test/npm/gitdown

To resolve, gitdown would need to update it's dependency of "marked" to "^4.0.10"

NPM Orverrides are insufficient to solve this problem in the meantime because gitdown uses marked directly as the parse function call. The fixed version of marked requires marked.parse() rather than marked(). Overriding will just cause errors because of that one line in gitdown's code.

These are Regular Expression Denial of Service vulnerabilities. Please upgrade this dependency as many of our packages use gitdown but will be blocked when the SLA on this vulnerability has been exceeded.

Added info on ReDoS: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

WilliamRADFunk avatar May 02 '22 21:05 WilliamRADFunk

This should now be resolved as versions should be higher than or equal to 13.0.2

brettz9 avatar Jul 10 '24 19:07 brettz9