{
  "schema_version": "1.4.0",
  "id": "GHSA-xf5p-87ch-gxw2",
  "modified": "2022-08-02T17:43:57Z",
  "published": "2019-06-05T14:10:03Z",
  "aliases": [],
  "summary": "Marked ReDoS due to email addresses being evaluated in quadratic time",
  "details": "Versions of `marked` from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.\n\n\n## Recommendation\n\nUpgrade to version 0.6.2 or later.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "marked"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0.3.14"
            },
            {
              "fixed": "0.6.2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/pull/1460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/markedjs/marked"
    },
    {
      "type": "WEB",
      "url": "https://github.com/markedjs/marked/releases/tag/v0.6.2"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-MARKED-174116"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/812"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-05T13:50:35Z",
    "nvd_published_at": null
  }
}