Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer
- Severity:
- High
Description
A critical Denial of Service (DoS) vulnerability exists in [email protected]. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): >= 18.0.0, <= 18.0.1
- Patched version(s): 18.0.2
References
Related Issues
- jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder - CVE-2026-24133
- Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - CVE-2026-25639
- Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input - CVE-2026-33891
- Nuxt OG Image is vulnerable to Denial of Service via unbounded image dimensions - CVE-2026-34404
You might also like:
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on April 29, 2026


