Plattform
nodejs
Komponente
marked
Behoben in
0.3.9
CVE-2017-16114 describes a Denial of Service (DoS) vulnerability within the Marked.js Markdown parser. This flaw allows an attacker to trigger a regular expression denial of service, leading to significant performance degradation and potential service unavailability. The vulnerability impacts versions of Marked.js released before 0.3.9. Updating to version 0.3.9 or later resolves this issue.
The core of this vulnerability lies in Marked.js's regular expression processing. A specially crafted Markdown input containing a malicious regular expression can cause the parser to enter an infinite loop or consume excessive resources. The amplification factor is considerable; even a relatively small input (1,000 characters) can result in the event loop being blocked for approximately 6 seconds. This prolonged blocking can render the application unresponsive, effectively denying service to legitimate users. The impact is particularly severe in web applications heavily reliant on Markdown parsing, as it can lead to widespread disruption.
CVE-2017-16114 was published on July 24, 2018. While no active exploitation campaigns have been publicly reported, the ease of triggering the vulnerability and its potential for significant disruption make it a persistent risk. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Public proof-of-concept (POC) code exists, demonstrating the vulnerability's exploitability.
Exploit-Status
EPSS
0.40% (61% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2017-16114 is to upgrade Marked.js to version 0.3.9 or later. This version incorporates fixes to prevent the regular expression denial of service. If upgrading is not immediately feasible, consider implementing input validation to sanitize Markdown content before passing it to Marked.js. Specifically, look for and reject inputs containing complex or potentially malicious regular expressions. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block malicious regular expression patterns could also provide a layer of defense.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2017-16114 is a Denial of Service vulnerability in Marked.js, allowing attackers to trigger a regular expression denial of service, potentially blocking the application's event loop.
You are affected if you are using Marked.js versions prior to 0.3.9. Check your project dependencies to determine if you are vulnerable.
Upgrade Marked.js to version 0.3.9 or later. If immediate upgrade is not possible, implement input validation to sanitize Markdown content.
While no active campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a persistent risk. Public POC code exists.
Refer to the Marked.js GitHub repository for information and updates related to this vulnerability: https://github.com/markedjs/marked
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.