CVE-2018-25110

May 23, 2025, 3:54 p.m.

6.9
Medium

Description

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

Product(s) Impacted

Vendor Product Versions
Marked
  • Marked
  • <0.3.17

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1333
Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a marked marked <0.3.17 / / / / / / /

CVSS Score

6.9 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: LOW
  • Exploit Maturity: NOT_DEFINED
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: May 23, 2025, 3:15 p.m.
Last Modified: May 23, 2025, 3:54 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

596c5446-0ce5-4ba2-aa66-48b3b757a647

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.