CVE-2015-8854

Description

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

• http://www.openwall.com/lists/oss-security/2016/04/20/11
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/
• https://nodesecurity.io/advisories/23
• https://support.f5.com/csp/article/K05052081?utm_source=f5support&amp%3Butm_medium=RSS
• https://nvd.nist.gov/vuln/detail/CVE-2015-8854
• https://github.com/chjj/marked/issues/497
• https://github.com/advisories/GHSA-hjcp-j389-59ff
• https://github.com/chjj/marked
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S
• https://support.f5.com/csp/article/K05052081?utm_source=f5support&utm_medium=RSS
• https://www.npmjs.com/advisories/23
• https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
• https://security-tracker.debian.org/tracker/CVE-2015-8854

CWEs

CWE-1333

💬 Discuss CVE-2015-8854 on VIR Community →

Community-verified mitigations for this CVE will appear above when contributors publish them.