Description
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.17
- Patched version(s): 0.3.17
References
Related Issues
- Regular Expression Denial of Service (REDoS) in Marked - CVE-2021-21306
- jsPDF Bypass Regular Expression Denial of Service (ReDoS) - CVE-2025-29907
- regular expression denial of service (ReDoS) (GHSA-r92x-f52r-x54g) - CVE-2020-26289
- Regular Expression Denial of Service in sshpk - CVE-2018-3737
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on May 27, 2025