Vulnerability due to dependency on outdated version of "marked" (WS-2020-0163, CVE-2021-21306, CVE-2022-21681)

Question

Vulnerability due to dependency on outdated version of "marked" (WS-2020-0163, CVE-2021-21306, CVE-2022-21681)

Opened this issue 2 years ago · 1 comments

https://security-tracker.debian.org/tracker/CVE-2022-21681
https://nvd.nist.gov/vuln/detail/CVE-2021-21306
https://snyk.io/test/npm/gitdown

To resolve, gitdown would need to update it's dependency of "marked" to "^4.0.10"

NPM Orverrides are insufficient to solve this problem in the meantime because gitdown uses marked directly as the parse function call. The fixed version of marked requires marked.parse() rather than marked(). Overriding will just cause errors because of that one line in gitdown's code.

These are Regular Expression Denial of Service vulnerabilities. Please upgrade this dependency as many of our packages use gitdown but will be blocked when the SLA on this vulnerability has been exceeded.

Added info on ReDoS: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

Answer 1 · 2024-07-10T19:16:12.000Z

This should now be resolved as versions should be higher than or equal to 13.0.2