CVE-2022-21680 Overview
CVE-2022-21680 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Marked, a popular markdown parser and compiler for Node.js. Prior to version 4.0.10, the regular expression block.def may cause catastrophic backtracking against certain input strings, leading to a denial of service condition. Applications that process untrusted markdown input through vulnerable versions of Marked without implementing worker thread timeouts are at risk of resource exhaustion attacks.
Critical Impact
Attackers can craft malicious markdown input that triggers catastrophic regex backtracking, causing the application to become unresponsive and potentially exhausting server resources.
Affected Products
- Marked versions prior to 4.0.10 (Node.js package)
- Fedora 36 (via packaged marked component)
- Any application using vulnerable Marked versions to parse untrusted markdown
Discovery Timeline
- 2022-01-14 - CVE-2022-21680 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-21680
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). The vulnerable regular expression in the block.def pattern contains constructs that allow for exponential backtracking when processing specially crafted input strings.
Regular Expression Denial of Service (ReDoS) attacks exploit the non-deterministic nature of regex engines. When a regex contains nested quantifiers or overlapping alternations, the engine may need to explore an exponentially growing number of possible matches before determining that no match exists. This results in CPU-bound operations that can lock up processing threads indefinitely.
Root Cause
The root cause lies in the block.def regular expression used for parsing markdown definition references. The original pattern contained inefficient groupings with optional whitespace handling that created multiple possible matching paths. Specifically, the pattern *\\n? * allowed the regex engine to backtrack extensively when encountering malformed or adversarial input, as there were multiple ways to match or skip the newline and space characters.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by submitting crafted markdown content to any endpoint or service that processes it through the vulnerable Marked library. The attack is particularly effective against:
- Web applications with markdown preview functionality
- Content management systems accepting markdown input
- API endpoints processing markdown documentation
- Chat applications with markdown rendering
// Security patch in src/rules.js
// Source: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
+ '|<(?!script|pre|style|textarea)([a-z][\\w-]*)(?:attribute)*? */?>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:(?:\\n *)+\\n|$)' // (7) open tag
+ '|</(?!script|pre|style|textarea)[a-z][\\w-]*\\s*>(?=[ \\t]*(?:\\n|$))[\\s\\S]*?(?:(?:\\n *)+\\n|$)' // (7) closing tag
+ ')',
- def: /^ {0,3}\[(label)\]: *\n? *<?([^\s>]+)>?(?:(?: +\n? *| *\n *)(title))? *(?:\n+|$)/,
+ def: /^ {0,3}\[(label)\]: *(?:\n *)?<?([^\s>]+)>?(?:(?: +(?:\n *)?| *\n *)(title))? *(?:\n+|$)/,
table: noopTest,
lheading: /^([^\n]+)\n {0,3}(=+|-+) *(?:\n+|$)/,
// regex template, placeholders will be replaced according to different paragraph
The patch modifies the regex to use non-capturing groups with more precise patterns, reducing the number of backtracking paths available to the regex engine.
Detection Methods for CVE-2022-21680
Indicators of Compromise
- Abnormally high CPU utilization on servers processing markdown content
- Application threads becoming unresponsive during markdown parsing operations
- Increased response times or timeouts on endpoints accepting markdown input
- Memory consumption spikes associated with regex processing
- Error logs showing timeout exceptions in markdown parsing functions
Detection Strategies
- Monitor Node.js application CPU usage patterns for sustained spikes during content processing
- Implement application performance monitoring (APM) to track markdown parsing latency
- Use dependency scanning tools to identify vulnerable marked package versions in package.json or package-lock.json
- Deploy runtime protection that can detect and terminate runaway regex operations
- Set up alerting for requests with unusually long processing times to markdown endpoints
Monitoring Recommendations
- Configure SentinelOne Singularity to monitor for resource exhaustion patterns in Node.js processes
- Implement request timeout monitoring on all endpoints that accept markdown input
- Track the ratio of markdown input size to processing time to detect anomalous patterns
- Monitor for repeated requests from single sources targeting markdown processing endpoints
- Review application logs for patterns of failed or timed-out markdown parsing operations
How to Mitigate CVE-2022-21680
Immediate Actions Required
- Upgrade Marked to version 4.0.10 or later immediately
- Audit all applications and dependencies for usage of vulnerable Marked versions
- Implement input size limits on markdown content before processing
- Run Marked parsing in a worker thread with enforced time limits
- Consider temporarily disabling markdown processing for untrusted input until patched
Patch Information
The vulnerability is fixed in Marked version 4.0.10. The patch modifies the block.def regular expression in src/rules.js to eliminate the catastrophic backtracking condition. Organizations should update their dependencies using:
npm update marked
For more information, refer to the GitHub Security Advisory GHSA-rrrm-qjm4-v8hf and the GitHub Release v4.0.10.
Workarounds
- Run Marked parsing in a dedicated worker thread with a strict timeout (e.g., 5 seconds)
- Implement input sanitization to reject markdown content exceeding reasonable size limits
- Deploy a web application firewall (WAF) to filter potentially malicious markdown patterns
- Use rate limiting on endpoints that process markdown to reduce attack surface
# Configuration example for running marked with timeout in Node.js
# Create a worker wrapper with timeout enforcement
# package.json dependency update
npm install marked@^4.0.10 --save
# Verify installed version
npm list marked
# Expected output: marked@4.0.10 or higher
# For environments where immediate upgrade is not possible,
# implement worker thread with timeout:
# - Use worker_threads module
# - Set timeout to 5000ms maximum
# - Terminate worker on timeout to prevent resource exhaustion
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
