marked
npm11 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting markedpage 1 of 1
- CVE-2014-3743MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.3.12020-01-06
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
- CVE-2015-1370NONECVSS 0.0EG 0.0✓ Fixed in 0.3.32015-01-27
Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.
- CVE-2015-8854HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.42017-01-23
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial o…
- CVE-2016-10531MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.3.62018-05-31
marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) t…
- CVE-2017-1000427MEDIUMCVSS 6.1EG 6.1✓ Fixed in 0.3.72018-01-02
marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.
- CVE-2017-16114HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.92018-06-07
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
- CVE-2018-25110HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.172025-05-23
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit th…
- CVE-2021-21306MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.0.02021-02-08
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who ru…
- CVE-2022-21680HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.102022-01-14
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untr…
- CVE-2022-21681HIGHCVSS 7.5EG 7.5✓ Fixed in 4.0.102022-01-14
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted mark…
- CVE-2026-41680HIGHCVSS 7.5EG 7.5✓ Fixed in 18.0.22026-04-24
Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauth…
Check whether marked is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for marked CVEs against the assets you own.
Start Free Scan →