5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21306

GHSA ID

GHSA-4r62-v4vq-hr96

EPSS Score

0.68572%

CWE

CWE-400

Published

2/8/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21306

CVE-2021-21306: Regular Expression Denial of Service (REDoS) in Marked

Impact

What kind of vulnerability is it? Who is impacted?

Regular expression Denial of Service

A Denial of Service attack can affect anyone who runs user generated code through marked.

Patches

Has the problem been patched? What versions should users upgrade to?

patched in v2.0.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

None.

References

Are there any links users can visit to find out more?

https://github.com/markedjs/marked/issues/1927 https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

Open an issue in marked

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21306

GHSA ID

GHSA-4r62-v4vq-hr96

EPSS Score

0.68572%

CWE

CWE-400

Published

2/8/2021

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
marked	npm	>= 1.1.1, < 2.0.0	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was caused by inefficient regular expressions in the emphasis/strong parsing logic. The commit 7293251 shows:

Removal of separate em/strong tokenizers in Tokenizer.js
Replacement with a combined emStrong tokenizer with safer regex patterns
Complete overhaul of regex rules in rules.js (old em/strong patterns replaced)
The GitHub issue #1927 demonstrates the attack vector with underscore patterns
CWE-400 mapping confirms this is a resource consumption issue via regex

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ [R**ul*r *xpr*ssion **ni*l o* S*rvi**](*ttps://ow*sp.or*/www-*ommunity/*tt**ks/R**ul*r_*xpr*ssion_**ni*l_o*_S*rvi**_-_R**oS) * **ni*l o* S*rvi** *tt**k **n *****t *nyon* w*o runs us*r

Reasoning

T** vuln*r**ility w*s **us** *y in***i*i*nt r**ul*r *xpr*ssions in t** *mp**sis/stron* p*rsin* lo*i*. T** *ommit ******* s*ows: *. R*mov*l o* s*p*r*t* *m/stron* tok*niz*rs in Tok*niz*r.js *. R*pl***m*nt wit* * *om*in** *mStron* tok*niz*r wit* s***r r

5.3

Basic Information

Concerned about an active attack path?

CVE-2021-21306: Regular Expression Denial of Service (REDoS) in Marked

Impact

Patches

Workarounds

References

For more information

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI