CVE-2018-25110 in Marked
Summary
by MITRE • 05/23/2025
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/14/2025
The vulnerability identified as CVE-2018-25110 represents a critical security flaw in a software component that processes markdown and HTML content, specifically affecting versions prior to 0.3.17. This issue manifests as a Regular Expression Denial of Service (ReDoS) vulnerability that exploits catastrophic backtracking patterns within the parsing logic. The vulnerability occurs when the software processes specially crafted markdown input containing deeply nested structures or repetitively formatted brackets and tag attributes. The underlying technical flaw stems from poorly constructed regular expressions that exhibit exponential time complexity when processing malicious input patterns, causing the parsing engine to consume excessive computational resources and ultimately resulting in system unresponsiveness or complete denial of service.
The operational impact of this vulnerability extends beyond simple service disruption as it enables attackers to craft inputs that cause the affected system to enter into prolonged processing states or infinite loops. When an attacker submits malicious markdown content with nested brackets or repetitive structural patterns, the regular expressions employed for parsing HTML tags and markdown links undergo catastrophic backtracking, where the regex engine attempts to match the input against multiple possible paths, leading to exponential execution time growth. This behavior directly aligns with the Common Weakness Enumeration CWE-400, which categorizes excessive computation as a weakness that can lead to denial of service conditions. The vulnerability is particularly dangerous in environments where the software processes user-submitted content, as it can be exploited to exhaust system resources and render services unavailable to legitimate users.
The attack vector for this vulnerability operates through the parsing of user-provided markdown input that contains maliciously constructed nested structures or repetitive bracket patterns. According to the ATT&CK framework, this represents a privilege escalation and denial of service technique that can be executed without requiring elevated privileges. The vulnerability is particularly concerning in web applications or content management systems where markdown processing is a core functionality, as it allows attackers to disrupt service availability through carefully crafted inputs that trigger the catastrophic backtracking behavior in the regular expressions. Security researchers have documented similar patterns in various parsing libraries where regex implementations fail to account for the computational complexity of certain input patterns, making this a common class of vulnerability in text processing components.
Mitigation strategies for CVE-2018-25110 involve multiple layers of defensive measures including immediate version upgrading to 0.3.17 or later, where the regular expressions have been properly refactored to eliminate catastrophic backtracking patterns. Additionally, input validation and sanitization techniques should be implemented to limit the depth and complexity of nested structures that can be processed by the parser. The implementation of regex engine timeouts or resource limits can provide additional protection against exploitation attempts. Organizations should also consider employing alternative parsing approaches that do not rely on regular expressions for complex parsing tasks, or utilize well-tested parsing libraries that have been designed to resist such attacks. Security monitoring and intrusion detection systems should be configured to detect unusual processing patterns that might indicate exploitation attempts, and comprehensive testing should be performed to ensure that the patched version properly handles edge cases without introducing new vulnerabilities.