Description
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.17
- Patched version(s): 0.3.17
References
Related Issues
- Regular Expression Denial of Service (REDoS) in Marked - CVE-2021-21306
- Regular Expression Denial of Service (ReDoS) (GHSA-vx3p-948g-6vhq) - CVE-2021-27290
- uap-core Regular Expression Denial of Service issue - CVE-2018-20164
- Regular Expression Denial of Service in ssri - CVE-2018-7651
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on May 27, 2025