Description
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): < 0.3.17
- Patched version(s): 0.3.17
References
Related Issues
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- tarteaucitron.js allows url scheme injection via unfiltered inputs - CVE-2025-31476
- bootstrap Cross-site Scripting vulnerability (GHSA-ph58-4vrj-w6hr) - CVE-2018-20677
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on May 27, 2025