{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/marked/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["marked"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","javascript","marked","vulnerability"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eA critical Denial of Service (DoS) vulnerability has been identified in \u003ccode\u003emarked@18.0.0\u003c/code\u003e. This vulnerability arises from the processing of a specific 3-byte input sequence: a tab character, a vertical tab character, and a newline character (\u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e). An unauthenticated attacker can exploit this by sending this sequence to a Node.js application utilizing the vulnerable version of the \u003ccode\u003emarked\u003c/code\u003e library. This input triggers an infinite recursion loop within the \u003ccode\u003emarked\u003c/code\u003e tokenizer during parsing, leading to unbounded memory allocation and ultimately causing the host Node.js application to crash due to Memory Exhaustion (OOM). This vulnerability allows for a total loss of availability for any application using the vulnerable library to process potentially untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted input string containing the sequence \u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e to a Node.js application using \u003ccode\u003emarked@18.0.0\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003espace()\u003c/code\u003e tokenizer in \u003ccode\u003emarked\u003c/code\u003e consumes the initial tab character (\u003ccode\u003e\\x09\u003c/code\u003e) using the regex \u003ccode\u003e/^(?:[ \\t]*(?:\\n|$))+/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe newline block rule fails to match the remaining \u003ccode\u003e\\x0b\\n\u003c/code\u003e sequence because the vertical tab is not accounted for in the rule \u003ccode\u003e[ \\t]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe parser falls through to the \u003ccode\u003etext\u003c/code\u003e tokenizer (\u003ccode\u003e/^[^\\n]+/\u003c/code\u003e), which matches the \u003ccode\u003e\\x0b\\n\u003c/code\u003e sequence.\u003c/li\u003e\n\u003cli\u003eInside the \u003ccode\u003eblockTokens()\u003c/code\u003e function, the \u003ccode\u003etext\u003c/code\u003e tokenizer creates a text token.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eblockTokens()\u003c/code\u003e function then calls \u003ccode\u003einlineTokens()\u003c/code\u003e on the same input (\u003ccode\u003e\\x0b\\n\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003einlineTokens()\u003c/code\u003e function\u0026rsquo;s text rule matches \u003ccode\u003e\\x0b\\n\u003c/code\u003e and recursively calls \u003ccode\u003einlineTokens()\u003c/code\u003e again, leading to an infinite loop.\u003c/li\u003e\n\u003cli\u003eEach recursive call allocates new token objects and concatenates strings, causing memory usage to grow until the Node.js heap limit is reached, resulting in a crash.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability results in a High-Severity Denial of Service (DoS) via Memory Exhaustion. Any application, API, chatbot, or documentation system using \u003ccode\u003emarked@18.0.0\u003c/code\u003e to parse untrusted user input is vulnerable. The attack requires minimal resources from the attacker, only the ability to send a 3-byte payload, to cause a total loss of availability. The vulnerability affects \u003ccode\u003enpm/marked\u003c/code\u003e versions greater than or equal to 18.0.0 and less than or equal to 18.0.1.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the \u003ccode\u003emarked\u003c/code\u003e library that addresses the infinite recursion vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor Node.js application logs for error messages indicating memory exhaustion or crashes, which might indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement input validation to sanitize or reject input containing the malicious \u003ccode\u003e\\x09\\x0b\\n\u003c/code\u003e sequence.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for \u003ccode\u003emarked\u003c/code\u003e process crashes due to memory exhaustion to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-marked-dos/","summary":"A denial of service vulnerability exists in marked version 18.0.0 due to infinite recursion when processing a specific 3-byte sequence (tab, vertical tab, and newline), leading to unbounded memory allocation and application crash.","title":"Denial of Service Vulnerability in marked via Infinite Recursion","url":"https://feed.craftedsignal.io/briefs/2024-01-03-marked-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Marked","version":"https://jsonfeed.org/version/1.1"}