anyulled / composing_high_order_functions Goto Github PK

src/package.json

• redux-form-website-template 1.0.21
• redux-form 8.3.10
• redux 5.0.1
• react-redux 9.1.1
• react-dom 18.2.0
• react 18.2.0
• snyk ^1.316.1

Vulnerable Library - marked-0.7.0.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.7.0.tgz

Path to dependency file: Composing_high_order_functions/src/package.json

Path to vulnerable library: Composing_high_order_functions/src/node_modules/marked/package.json

Dependency Hierarchy:

• redux-form-website-template-1.0.21.tgz (Root Library)
  • ❌ marked-0.7.0.tgz (Vulnerable Library)

Found in HEAD commit: dfa32911887fd3dd4733ed0bab33b43d10860456

Found in base branch: master

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: 2020-07-02

URL: WS-2020-0163

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: 2020-07-02

Fix Resolution: marked - 1.1.1