Description
Affected versions of marked are vulnerable to Regular Expression Denial of Service (ReDoS). The _label subrule may significantly degrade parsing performance of malformed input.
Recommendation
Update the marked package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.4.0, < 0.7.0
- Patched version(s): 0.7.0
References
Related Issues
- Finance.js vulnerable to DoS via the IRR function’s depth parameter - CVE-2025-56571
- Mermaid improperly sanitizes sequence diagram labels leading to XSS - CVE-2025-54881
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) - CVE-2025-4643
- Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110
- Tags:
- npm
- marked
Anything's wrong? Let us know Last updated on April 11, 2023