Description
Denial of service.
The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.
Who is impacted?
Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.0.10
- Patched version(s): 4.0.10
References
Related Issues
- Moderate severity vulnerability that affects marked - CVE-2017-17461
- Multiple Content Injection Vulnerabilities in marked - CVE-2014-3743
- jquery-validation vulnerable to Cross-site Scripting - CVE-2025-3573
- @mozilla/readability Denial of Service through Regex - CVE-2025-2792
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on November 29, 2023