Description
A flaw was found in nodejs-marked versions from 0.5.0 to before 0.6.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Input to the host variable is vulnerable when input contains parenthesis in link URIs, coupled with a high number of link tokens in a single line.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.5.0, < 0.6.1
- Patched version(s): 0.6.1
References
Related Issues
- VBScript Content Injection in marked - CVE-2015-1370
- @rpldy/uploader prototype pollution - CVE-2024-57082
- DocsGPT Allows Remote Code Execution - CVE-2025-0868
- Signature Malleabillity in elliptic - CVE-2020-13822
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on January 09, 2023