CVE-2015-8854 Fedoraproject CVE debrief

Who should care

Teams running marked in Node.js applications, especially where untrusted or user-supplied Markdown is processed. Fedora maintainers and users of packages mapped to the affected Fedora CPEs should also review their package versions and update status.

Technical summary

The supplied CVE record says marked before 0.3.4 is vulnerable to a ReDoS condition in the em inline rule. The weakness is classified as CWE-1333, and the NVD CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, crafted input can trigger expensive regex processing and consume CPU without requiring privileges or user interaction.

Defensive priority

High. This is a remotely reachable availability issue with no privileges or user interaction required, and the primary impact is service slowdown or outage through CPU exhaustion.

Recommended defensive actions

• Inventory applications and dependencies that use marked and confirm whether any version earlier than 0.3.4 is present.
• Upgrade marked to 0.3.4 or later, or replace it with a maintained alternative if upgrade support is uncertain.
• Review any services that accept untrusted Markdown and apply input validation, request throttling, and resource controls where feasible.
• Monitor for abnormal CPU spikes or latency tied to Markdown parsing paths.
• For Fedora environments, verify whether the affected package builds referenced by the CVE record have been updated in your distribution channels.

Evidence notes

This debrief is based on the supplied CVE description and NVD metadata. The record states: marked before 0.3.4 is vulnerable; the issue is a catastrophic backtracking problem in the em inline rule; the weakness is CWE-1333; and the CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The supplied metadata also lists Fedora 31 and 32 CPE entries and references third-party advisories, including one broken-link advisory entry.

Official resources