Suggestions search

All statuses

Filter by:

With package: marked-man

Found 2 matching suggestions

View:

Compact

Detailed

Untriaged

Permalink CVE-2026-41680

created 1 month ago Activity log

Created suggestion 1 month ago

Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

References

https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7 x_refsource_CONFIRMexploit

Affected products

marked

==>= 18.0.0, < 18.0.2

Matching in nixpkgs

pkgs.marked-man

Markdown to roff wrapper around marked

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.1.0
nixos-25.11 2.1.0
- nixos-25.11-small 2.1.0
- nixpkgs-25.11-darwin 2.1.0

pkgs.haskellPackages.yaml-marked

Support for parsing and rendering YAML documents with marks

nixos-unstable 0.2.0.1
- nixpkgs-unstable 0.2.0.1
- nixos-unstable-small 0.2.0.1
nixos-25.11 0.2.0.1
- nixos-25.11-small 0.2.0.1
- nixpkgs-25.11-darwin 0.2.0.1

Package maintainers

@Atemu Atemu <nixpkgs@mail.atemu.net>

Published

Permalink CVE-2018-25110

updated 1 year ago by @fricklerhandwerk Activity log

Created suggestion 1 year ago
@fricklerhandwerk accepted 1 year ago
@fricklerhandwerk published on GitHub 1 year ago

Regular Expression Denial of Service (ReDoS) in markedjs/marked

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.