Platform
nodejs
Component
marked
Fixed in
0.3.4
CVE-2015-8854 describes a Denial of Service (DoS) vulnerability within the Marked.js library, specifically affecting versions 0.3.3 and earlier. This vulnerability arises from a Regular Expression Denial of Service (ReDoS) condition when processing malicious inputs that target the em inline rule. Exploitation can lead to significant performance degradation or application crashes, impacting Node.js applications utilizing this library. A fix is available in version 0.3.4.
An attacker can exploit this vulnerability by crafting malicious input strings designed to trigger the ReDoS condition within Marked.js. These inputs, when processed by the em inline rule, cause the regular expression engine to enter an infinite loop, consuming excessive CPU resources and potentially leading to a denial of service. The impact extends to any Node.js application that uses Marked.js to render Markdown content, potentially affecting web servers, documentation generators, and other tools. The blast radius is limited to the application processing the vulnerable Markdown, but widespread use of Marked.js means many applications could be at risk. Similar ReDoS vulnerabilities have been observed in other regular expression-heavy parsing libraries, highlighting the importance of careful regex design.
CVE-2015-8854 was publicly disclosed in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) exploits are readily available, but the ReDoS nature of the vulnerability makes it relatively straightforward to construct malicious inputs. It is not listed on the CISA KEV catalog. The vulnerability's age and lack of public exploits suggest a low probability of exploitation in the current threat landscape.
Exploit Status
EPSS
0.89% (75% percentile)
CVSS Vector
The primary mitigation for CVE-2015-8854 is to upgrade Marked.js to version 0.3.4 or later, which contains the fix for the ReDoS vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing input validation to sanitize Markdown content before passing it to Marked.js. Specifically, filter out or escape potentially malicious characters or patterns that could trigger the vulnerable regular expression. While a WAF or proxy cannot directly address this vulnerability, they can be configured to block requests containing suspicious Markdown payloads. After upgrading, confirm the fix by attempting to render a known malicious Markdown input that previously triggered the ReDoS condition; it should now process without excessive CPU usage.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2015-8854 is a Denial of Service vulnerability in the Marked.js library, affecting versions 0.3.3 and earlier. Malicious Markdown input can trigger a ReDoS condition, leading to application crashes or performance degradation.
You are affected if your Node.js application uses Marked.js version 0.3.3 or earlier. Check your package.json file to determine your Marked.js version.
Upgrade Marked.js to version 0.3.4 or later. If upgrading is not possible immediately, implement input validation to sanitize Markdown content before processing.
There is no evidence of active exploitation campaigns targeting CVE-2015-8854, but the ReDoS nature of the vulnerability makes exploitation possible.
While a dedicated advisory may not exist, information about the vulnerability can be found in the Marked.js GitHub repository and related security discussions.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.