11 matches found
CVE-2022-21680
CVE-2022-21680 affects the Node.js Marked markdown parser. Prior to 4.0.10, regex block.def can cause catastrophic backtracking leading to ReDoS when processing untrusted markdown; patch is 4.0.10. Workarounds include running Marked in a worker thread with a reasonable time limit or avoiding untr...
CVE-2022-21681
CVE-2022-21681 affects the Marked markdown parser. The vulnerability is caused by the regular expression inline.reflinkSearch, which may cause catastrophic backtracking and a denial of service when processing untrusted Markdown. Affected versions are prior to 4.0.10. The issue is patched in 4.0.1...
CVE-2016-10531
CVE-2016-10531 affects the marked library (0.3.5 and earlier). The issue arises when parsing HTML entities: &#xNN... leaves trailing text, allowing bypass of sanitize: true and injection of a javascript: URL. This enables cross-site scripting via markdown-rendered links. Affected: marked where li...
CVE-2014-3743
CVE-2014-3743 affects the Node.js Marked module (before 0.3.1). The vulnerability is due to cross-site scripting in two vectors: gfm codeblocks (language) and javascript: URLs, allowing remote attackers to inject arbitrary script/HTML. The OSV and NVD records corroborate XSS in Marked prior to 0....
CVE-2021-21306
Marked (npm package) contains a Regular Expression Denial of Service vulnerability in versions 1.1.1 up to before 2.0.0. The root cause is a REDoS condition when processing user-generated code through marked. Impact is denial of service; upgrade to version 2.0.0 or later to fix. If exploiting det...
CVE-2017-1000427
CVE-2017-1000427: Marked up to version 0.3.6 and earlier is vulnerable to cross-site scripting via the data: URI parser. This is an XSS in user-supplied input that can execute script in the victim’s browser when a crafted URL is clicked. The NVD shows CVSS v3.0 base score 6.1 (network, low attack...
CVE-2015-1370
CVE-2015-1370 affects the marked library (versions 0.3.2 and earlier) used with Node.js. The root cause is an incomplete blacklist that allows cross-site scripting via a vbscript tag in a link, enabling remote XSS. Public references (GHSA, OSV, NVD, CNVD) corroborate the issue and advise upgradin...
CVE-2015-8854
CVE-2015-8854 details (concrete): The vulnerability affects the Node.js marked module prior to 0.3.4. It enables a denial of service (CPU exhaustion) via unspecified vectors that trigger a catastrophic backtracking issue in the Em inline rule, i.e., a ReDoS. Affected products in public docs inclu...
CVE-2017-16114
CVE-2017-16114 affects the marked Markdown parser module. Vulnerable behavior is a regular expression denial of service when processing untrusted input; measurements report about 1,000 characters blocking the event loop for around 6 seconds. Affected environments are those that install the marked...
CVE-2018-25110
CVE-2018-25110 affects the markedjs/marked parser. The vulnerability stems from catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links, allowing a Regular Expression Denial of Service (ReDoS) via crafted markdown input (e.g., deeply nested or repeti...
CVE-2026-41680
CVE-2026-41680 affects the Marked markdown parser/compiler. From versions 18.0.0 through 18.0.1, an unauthenticated attacker can trigger an infinite recursion in the tokenizer by sending the 3-byte sequence: tab, vertical tab, newline (\x09\x0b\n). This leads to unbounded memory allocation and ca...