Nixpkgs security tracker

Untriaged

Permalink CVE-2026-41680

created 1 month ago Activity log

Created suggestion 1 month ago

Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

References

https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7 x_refsource_CONFIRMexploit

Affected products

marked

==>= 18.0.0, < 18.0.2

Matching in nixpkgs

pkgs.marked-man

Markdown to roff wrapper around marked

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.1.0
nixos-25.11 2.1.0
- nixos-25.11-small 2.1.0
- nixpkgs-25.11-darwin 2.1.0

pkgs.haskellPackages.yaml-marked

Support for parsing and rendering YAML documents with marks

nixos-unstable 0.2.0.1
- nixpkgs-unstable 0.2.0.1
- nixos-unstable-small 0.2.0.1
nixos-25.11 0.2.0.1
- nixos-25.11-small 0.2.0.1
- nixpkgs-25.11-darwin 0.2.0.1

Package maintainers

@Atemu Atemu <nixpkgs@mail.atemu.net>