Skip to content
CVSS 7.5 · HIGH

CVE-2026-41680

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

View on NVD

Analysis

The marked library (v18.0.0 to 18.0.1) contains a denial-of-service vulnerability where a 3-byte input sequence can crash a Node.js process via infinite recursion. Applications that render user-supplied markdown should update to version 18.0.2 immediately to avoid memory exhaustion attacks.

Severity

Score: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: NONE
A: HIGH
Weakness (CWE): CWE-400CWE-674CWE-835

EPSS

Probability of exploitation (next 30 days): 0.0009 (0.1%)
Percentile: 24.7%
EPSS: 2026-05-06

Affects

marked_project:marked

Technical description

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

Published: 4/24/2026, 6:16:29 PM
Last modified: 4/28/2026, 7:37:46 PM

References

HomeEventsBlogResourcesTeam