Description
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.17
- Patched version(s): 0.3.17
References
Related Issues
- Regular Expression Denial of Service (REDoS) in Marked - CVE-2021-21306
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
- regular expression denial of service (ReDoS) - date-and-time - CVE-2020-26289
You might also like:
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on May 27, 2025