Plattform
nodejs
Komponente
marked
Behoben in
0.3.4
CVE-2015-8854 describes a denial-of-service (DoS) vulnerability present in versions 0.3.3 and earlier of the marked JavaScript library. This vulnerability arises from a regular expression denial of service (ReDoS) condition when the library processes malicious inputs targeting the em inline rule. Exploitation can lead to significant CPU consumption and potential service disruption. Affected versions include 0.3.3 and earlier; upgrading to version 0.3.4 or later resolves the issue.
An attacker can exploit this vulnerability by crafting malicious Markdown input that, when processed by marked, triggers a ReDoS condition within the regular expression used for the em inline rule. This results in an exponential increase in CPU usage, potentially leading to a denial-of-service (DoS) attack. The impact is primarily focused on the server or application hosting the marked library, as it will become unresponsive due to the excessive CPU load. While direct data exfiltration is not possible, the disruption of service can have significant operational consequences, especially in applications heavily reliant on Markdown processing. ReDoS vulnerabilities are notoriously difficult to detect and mitigate, making this a potentially serious risk.
CVE-2015-8854 was published in 2017. While no active exploitation campaigns have been publicly reported, ReDoS vulnerabilities are generally considered high-risk due to their difficulty in detection and mitigation. There are publicly available proof-of-concept (PoC) exploits demonstrating the vulnerability. This CVE is not currently listed on the CISA KEV catalog. The vulnerability's impact is primarily related to resource exhaustion, rather than data compromise.
Applications built with Node.js that utilize the Marked.js library for Markdown rendering are at risk. This includes web applications, documentation generators, and any other tools that process Markdown content. Specifically, projects relying on older versions of Marked.js, or those that haven't performed recent dependency updates, are particularly vulnerable.
• nodejs / server:
npm list marked• nodejs / server:
npm audit marked• nodejs / server:
Check package.json for dependencies on marked versions prior to 0.3.4.
• nodejs / server:
Review application logs for unusually high CPU usage or crashes when processing Markdown content.
discovery
disclosure
patch
Exploit-Status
EPSS
0.89% (75% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2015-8854 is to upgrade to version 0.3.4 or later of the marked library. This version contains a fix that addresses the vulnerable regular expression. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing input validation to sanitize Markdown content before passing it to marked. Specifically, filter or reject inputs containing patterns known to trigger the ReDoS condition. While not a complete solution, this can reduce the attack surface. Monitoring CPU usage on the server hosting the application is also recommended to detect potential exploitation attempts. There are no specific WAF rules or detection signatures readily available for this particular ReDoS vulnerability, emphasizing the importance of patching.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2015-8854 is a Denial of Service vulnerability in the Marked.js library, affecting versions 0.3.3 and earlier. Malicious Markdown input can trigger a ReDoS condition, leading to application crashes or performance degradation.
You are affected if your Node.js application uses Marked.js version 0.3.3 or earlier. Check your package.json file to determine your Marked.js version.
Upgrade Marked.js to version 0.3.4 or later. If upgrading is not possible immediately, implement input validation to sanitize Markdown content before processing.
There is no evidence of active exploitation campaigns targeting CVE-2015-8854, but the ReDoS nature of the vulnerability makes exploitation possible.
While a dedicated advisory may not exist, information about the vulnerability can be found in the Marked.js GitHub repository and related security discussions.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.