Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

Severity:: High

Description

A critical Denial of Service (DoS) vulnerability exists in [email protected]. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.

Recommendation

Update the marked package to the latest compatible version. Followings are version details:

Affected version(s): >= 18.0.0, <= 18.0.1
Patched version(s): 18.0.2

References

GHSA-6v9c-7cg6-27q7
CVE-2026-41680
CWE-400
CWE-674
CWE-835
CAPEC-310
OWASP 2021-A6

Related Issues

Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions - CVE-2026-34404
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
Cube Core is vulnerable to Denial of Service (DoS) via crafted request - CVE-2026-25957

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; marked

Anything's wrong? Let us know Last updated on April 29, 2026