Miggo Logo
Miggo Vulnerability Database
CVE-2018-25110

CVE-2018-25110: Marked allows Regular Expression Denial of Service (ReDoS) attacks

6.9

CVSS Score
4.0

Basic Information

CVE ID
CVE-2018-25110
GHSA ID
GHSA-p9wx-2529-fp83
EPSS Score
0.21755%
CWE
CWE-1333
Published
5/23/2025
Updated
5/27/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
markednpm< 0.3.170.3.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability CVE-2018-25110 in marked (prior to version 0.3.17) is a Regular Expression Denial of Service (ReDoS) caused by inefficient regular expressions used for parsing HTML tags and markdown links. The provided commit 20bfc106013ed45713a21672ad4a34df94dcd485 directly addresses these issues by modifying the problematic regexes.

  1. HTML Tag Parsing (Block Level): The block.html regex, specifically its closing component, was vulnerable. This regex is used by Lexer.prototype.token when identifying block-level HTML. The patch + .replace('closing', /<tag(?:\"[^\"]*\"|\'[^\']*\'|\\s[^\'\"\\/>\\s]*)*?\\/?>/) makes the attribute parsing part more restrictive (\\s[^\'\"\\/>\\s]* instead of \\s[^\'\"\\/>]*), preventing catastrophic backtracking on repeated empty attributes or similar patterns. The added test file test/new/redos_html_closing.md confirms this fix.

  2. HTML Tag Parsing (Inline Level): The inline.tag regex was also vulnerable and used by InlineLexer.prototype.tok. The patch + tag: /^<!--[\\s\\S]*?-->|^<\\/?[a-zA-Z0-9\\-]+(?:\"[^\"]*\"|\'[^\']*\'|\\s[^<\'\">\\/\\s]*)*?\\/?>/, applies a similar fix to the attribute parsing part as in block.html.

  3. Markdown Link Parsing: The vulnerability description mentions issues with "deeply nested or repetitively structured brackets" which points to regexes handling markdown links, such as inline.nolink, inline.link, and inline.reflink (the latter two use inline._inside). The commit modifies these regexes (though the exact changes for nolink and _inside are not fully clear from the snippet, the commit intent and added test redos_nolink.md imply fixes). These regexes are used within InlineLexer.prototype.tok.

The functions Lexer.prototype.token and InlineLexer.prototype.tok are the core lexing/tokenizing methods that execute these regular expressions against the input markdown. Therefore, when a malicious input triggers the ReDoS, these functions would be the ones consuming excessive CPU and would appear in a runtime profile or stack trace during the hang. The main marked() function orchestrates the parsing by calling these lexer methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

M*rk** prior to v*rsion *.*.** is vuln*r**l* to * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) *tt**k *u* to **t*strop*i* ***ktr**kin* in s*v*r*l r**ul*r *xpr*ssions us** *or p*rsin* *TML t**s *n* m*rk*own links. *n *tt**k*r **n *xploit t*is vuln*r**

Reasoning

T** vuln*r**ility *V*-****-***** in `m*rk**` (prior to v*rsion *.*.**) is * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) **us** *y in***i*i*nt r**ul*r *xpr*ssions us** *or p*rsin* *TML t**s *n* m*rk*own links. T** provi*** *ommit `*******************