CVE-2022-21680 – CVE-2022-21680 is a regular expression denial o... (How to Fix)

Q: What is the severity of CVE-2022-21680?

CVE-2022-21680 has a CVSS score of 7.5 (HIGH). CVE-2022-21680 is a regular expression denial of service (ReDoS) vulnerability in the marked JavaScript markdown parser. Attackers can craft malicious markdown content that causes catastrophic backtracking in the parser's regular expression, leading to excessive CPU consumption and service disruption. Anyone processing untrusted markdown through vulnerable versions of marked without proper resource limits is affected.

📋 TL;DR

CVE-2022-21680 is a regular expression denial of service (ReDoS) vulnerability in the marked JavaScript markdown parser. Attackers can craft malicious markdown content that causes catastrophic backtracking in the parser's regular expression, leading to excessive CPU consumption and service disruption. Anyone processing untrusted markdown through vulnerable versions of marked without proper resource limits is affected.

💻 Affected Systems

Products:

marked (JavaScript markdown parser)

Versions: All versions prior to 4.0.10

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications that process untrusted markdown input. Applications using marked with trusted content only are not vulnerable.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Marked by Marked Project

View all CVEs affecting Marked →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the application and requiring server restart.

🟠

Likely Case

Degraded performance or temporary service disruption for users processing malicious markdown, with automatic recovery after timeout.

🟢

If Mitigated

Minimal impact with proper worker thread timeouts or input validation preventing resource exhaustion.

🌐 Internet-Facing: HIGH - Web applications processing user-submitted markdown (like forums, documentation sites, or comment systems) are directly exposed to attack.

🏢 Internal Only: MEDIUM - Internal tools processing markdown could be exploited by malicious insiders or through compromised accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only submitting specially crafted markdown text. The vulnerability is well-documented with public proof-of-concept examples available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.0.10

Vendor Advisory: https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf

Restart Required: Yes

Instructions:

1. Update marked dependency to version 4.0.10 or later. 2. For npm: run 'npm update marked'. 3. For yarn: run 'yarn upgrade marked'. 4. Restart your application to load the updated package.

🔧 Temporary Workarounds

Worker thread with timeout

all

Run marked in a worker thread with a reasonable execution time limit to prevent resource exhaustion.

// JavaScript example: Use worker threads with timeout
const { Worker } = require('worker_threads');
const worker = new Worker('./markdown-worker.js');
worker.postMessage(markdownInput);
setTimeout(() => worker.terminate(), 5000); // 5 second timeout

Input validation and sanitization

all

Implement input validation to reject suspicious markdown patterns before processing.

// JavaScript example: Basic pattern rejection
function sanitizeMarkdown(input) {
  const suspiciousPatterns = [/\[.*?\]\(.*?\)/g, /\*{3,}/g];
  for (const pattern of suspiciousPatterns) {
    if (pattern.test(input)) {
      throw new Error('Suspicious markdown detected');
    }
  }
  return input;
}

🧯 If You Can't Patch

Implement strict input validation to reject complex nested markdown patterns
Deploy rate limiting and monitoring for markdown processing endpoints

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list marked' to see installed version. If version is below 4.0.10, you are vulnerable.

Check Version:

npm list marked | grep marked

Verify Fix Applied:

After updating, verify the version is 4.0.10 or higher using 'npm list marked' or check package.json.

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes on markdown processing endpoints
Process timeouts or worker thread terminations
Unusually large markdown payloads in request logs

Network Indicators:

Multiple requests with similar markdown patterns in short timeframes
Large markdown payloads (over typical size)

SIEM Query:

source="application_logs" AND (message="marked" OR message="markdown") AND (cpu_usage>90 OR duration>10s)

📊 Metadata

CVE ID: CVE-2022-21680

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 Patch,Third Party Advisory
https://github.com/markedjs/marked/releases/tag/v4.0.10 Release Notes,Third Party Advisory
https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf Exploit,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 Patch,Third Party Advisory
https://github.com/markedjs/marked/releases/tag/v4.0.10 Release Notes,Third Party Advisory
https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf Exploit,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-21680, you might also want to check these: