Vulnerability due to dependency on outdated version of "marked" (WS-2020-0163, CVE-2021-21306, CVE-2022-21681) #65
Comments
WilliamRADFunk
changed the title
|
This should now be resolved as versions should be higher than or equal to 13.0.2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://security-tracker.debian.org/tracker/CVE-2022-21681
https://nvd.nist.gov/vuln/detail/CVE-2021-21306
https://snyk.io/test/npm/gitdown
To resolve, gitdown would need to update it's dependency of "marked" to "^4.0.10"
NPM Orverrides are insufficient to solve this problem in the meantime because gitdown uses marked directly as the parse function call. The fixed version of marked requires marked.parse() rather than marked(). Overriding will just cause errors because of that one line in gitdown's code.
These are Regular Expression Denial of Service vulnerabilities. Please upgrade this dependency as many of our packages use gitdown but will be blocked when the SLA on this vulnerability has been exceeded.
Added info on ReDoS: https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
The text was updated successfully, but these errors were encountered: