Miggo Logo

CVE-2021-21306: Regular Expression Denial of Service (REDoS) in Marked

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.68572%
Published
2/8/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
markednpm>= 1.1.1, < 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was caused by inefficient regular expressions in the emphasis/strong parsing logic. The commit 7293251 shows:

  1. Removal of separate em/strong tokenizers in Tokenizer.js
  2. Replacement with a combined emStrong tokenizer with safer regex patterns
  3. Complete overhaul of regex rules in rules.js (old em/strong patterns replaced)
  4. The GitHub issue #1927 demonstrates the attack vector with underscore patterns
  5. CWE-400 mapping confirms this is a resource consumption issue via regex

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ [R**ul*r *xpr*ssion **ni*l o* S*rvi**](*ttps://ow*sp.or*/www-*ommunity/*tt**ks/R**ul*r_*xpr*ssion_**ni*l_o*_S*rvi**_-_R**oS) * **ni*l o* S*rvi** *tt**k **n *****t *nyon* w*o runs us*r

Reasoning

T** vuln*r**ility w*s **us** *y in***i*i*nt r**ul*r *xpr*ssions in t** *mp**sis/stron* p*rsin* lo*i*. T** *ommit ******* s*ows: *. R*mov*l o* s*p*r*t* *m/stron* tok*niz*rs in Tok*niz*r.js *. R*pl***m*nt wit* * *om*in** *mStron* tok*niz*r wit* s***r r