CVE-2021-21306: Regular Expression Denial of Service (REDoS) in Marked
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.68572%
CWE
Published
2/8/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
marked | npm | >= 1.1.1, < 2.0.0 | 2.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was caused by inefficient regular expressions in the emphasis/strong parsing logic. The commit 7293251 shows:
- Removal of separate em/strong tokenizers in Tokenizer.js
- Replacement with a combined emStrong tokenizer with safer regex patterns
- Complete overhaul of regex rules in rules.js (old em/strong patterns replaced)
- The GitHub issue #1927 demonstrates the attack vector with underscore patterns
- CWE-400 mapping confirms this is a resource consumption issue via regex