Skip to content
CVSS 7.5 · HIGH

CVE-2026-41680

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

Ver en NVD

Análisis

The marked library (v18.0.0 to 18.0.1) contains a denial-of-service vulnerability where a 3-byte input sequence can crash a Node.js process via infinite recursion. Applications that render user-supplied markdown should update to version 18.0.2 immediately to avoid memory exhaustion attacks.

Severidad

Puntaje: 7.5(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: NONE
I: NONE
A: HIGH
Tipo de falla (CWE): CWE-400CWE-674CWE-835

EPSS

Probabilidad de explotación (próx. 30 días): 0.0009 (0.1%)
Percentil: 24.7%
EPSS: 2026-05-06

Afecta

marked_project:marked

Descripción técnica

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

Publicada: 24/4/2026, 18:16:29
Última modificación: 28/4/2026, 19:37:46

Referencias

InicioEventosBlogRecursosEquipo