Vulnerability Description
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Marked Project | Marked | < 0.3.17 |
Related Weaknesses (CWE)
References
- https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVExploitThird Party Advisory
- https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd4Patch
- https://github.com/markedjs/marked/issues/1070Issue TrackingThird Party Advisory
- https://github.com/markedjs/marked/pull/1083Issue TrackingPatch
FAQ
What is CVE-2018-25110?
CVE-2018-25110 is a vulnerability with a CVSS score of 7.5 (HIGH). Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and mar...
How severe is CVE-2018-25110?
CVE-2018-25110 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-25110?
Check the references section above for vendor advisories and patch information. Affected products include: Marked Project Marked.