Miggo Logo

CVE-2015-8854: Regular Expression Denial of Service in marked

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.76239%
Published
10/24/2017
Updated
2/9/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
markednpm< 0.3.40.3.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability specifically references the 'em inline rule' as the attack vector. In marked's architecture, inline parsing rules like emphasis are handled by regex patterns in the lexer. The ReDoS vulnerability stems from inefficient regex patterns in the emphasis rule that could be exploited with crafted underscore patterns. This matches the CWE-1333 (Inefficient Regex Complexity) classification and the GitHub issue #497 demonstrating CPU hang with underscore-heavy input. The patch in v0.3.4 would have addressed this specific regex pattern in the emphasis handling code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions *.*.* *n* **rli*r o* `m*rk**` *r* *****t** *y * r**ul*r *xpr*ssion **ni*l o* s*rvi** ( R**oS ) vuln*r**ility w**n p*ss** inputs t**t r**** t** `*m` inlin* rul*. ## R**omm*n**tion Up**t* to v*rsion *.*.* or l*t*r.

Reasoning

T** vuln*r**ility sp**i*i**lly r***r*n**s t** '*m inlin* rul*' *s t** *tt**k v**tor. In m*rk**'s *r**it**tur*, inlin* p*rsin* rul*s lik* *mp**sis *r* **n*l** *y r***x p*tt*rns in t** l*x*r. T** R**oS vuln*r**ility st*ms *rom in***i*i*nt r***x p*tt*rn