Marked ReDoS due to email addresses being evaluated in quadratic time
- Severity:
- Medium
Description
Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.3.14, < 0.6.2
- Patched version(s): 0.6.2
References
Related Issues
- @octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - CVE-2025-25285
- express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison - Vulnerability
- @octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtrac - CVE-2025-25290
- @octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Back - CVE-2025-25288
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on January 11, 2023