CVE-2015-8854
First published: Mon Jan 23 2017(Updated: )
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/marked | <0.3.4 | 0.3.4 |
| Marked Project | <0.3.4 | |
| Red Hat Fedora | =31 | |
| Red Hat Fedora | =32 | |
| Langgenius Dify Node.js | <=0.3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2016/04/20/11
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
- https://nodesecurity.io/advisories/23
- https://support.f5.com/csp/article/K05052081?utm_source=f5support&utm_medium=RSS
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
- https://support.f5.com/csp/article/K05052081?utm_source=f5support&%3Butm_medium=RSS
- https://nvd.nist.gov/vuln/detail/CVE-2015-8854
- https://github.com/chjj/marked/issues/497
- https://github.com/advisories/GHSA-hjcp-j389-59ff (Advisory)
- https://www.npmjs.com/advisories/23
- https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Frequently Asked Questions
What is the severity of CVE-2015-8854?
CVE-2015-8854 is classified as a denial of service vulnerability due to its potential for CPU consumption.
How do I fix CVE-2015-8854?
To fix CVE-2015-8854, upgrade the marked package to version 0.3.4 or later.
Which versions are affected by CVE-2015-8854?
CVE-2015-8854 affects marked versions prior to 0.3.4 and Node.js versions up to 0.3.3.
What is a regular expression denial of service (ReDoS) in the context of CVE-2015-8854?
In the context of CVE-2015-8854, ReDoS refers to the vulnerability exploiting the catastrophic backtracking of a regex pattern, leading to excessive resource consumption.
Is CVE-2015-8854 related to Node.js or the marked package?
CVE-2015-8854 is specifically related to the marked package used in Node.js applications.
- agent/type
- agent/weakness
- agent/remedy
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hjcp-j389-59ff
- alias/CVE-2015-8854
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/trending
- agent/source
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-api
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/nvd-index
- package-manager/npm
- vendor/marked project
- canonical/marked project
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/31
- version/red hat fedora/32
- vendor/nodejs
- canonical/langgenius dify node.js
- version/langgenius dify node.js/0.3.3