Description
Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.
Published: 2026-04-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion (OOM) leading to application crash
Action: Apply Patch
AI Analysis

Impact

Marked, a popular Markdown parser, contains a flaw that triggers an infinite recursion during tokenization when it encounters a specific three‑byte sequence (0x09 0x0B 0x0A). The unbounded recursion causes the parser to allocate memory without limit, leading to a memory exhaustion condition that crashes the host Node.js process. The vulnerability is a resource exhaustion flaw (CWE‑400) amplified by an unprotected infinite loop (CWE‑835) and integer overflow issues (CWE‑674).

Affected Systems

Marked versions from 18.0.0 up to and including 18.0.1 are impacted. These releases are used in Node.js applications that import the marked library for rendering Markdown. Any environment that passes untrusted content to marked may be affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high‑severity denial of service weakness. The EPSS score of less than 1% suggests that active exploitation is considered unlikely at present, and the vulnerability is not listed in the CISA KEV catalog. An unauthenticated attacker can exploit the issue by feeding the target markdown parser the malicious three‑byte sequence; the attack does not require privileged access or user interaction beyond the ability to supply input to the parser.

Generated by OpenCVE AI on April 28, 2026 at 05:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the marked library to version 18.0.2 or later, which includes the fix for the infinite recursion bug.
  • If an upgrade is not immediately possible, configure the parser to operate in safe mode or set a maximum recursion depth to prevent unbounded memory usage.
  • Validate or sanitize user‑supplied Markdown before passing it to marked, ensuring that the specific three‑byte sequence is removed or escaped to thwart exploitation.

Generated by OpenCVE AI on April 28, 2026 at 05:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6v9c-7cg6-27q7 Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Marked Project
Marked Project marked
CPEs cpe:2.3:a:marked_project:marked:*:*:*:*:*:node.js:*:*
Vendors & Products Marked Project
Marked Project marked
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Markedjs
Markedjs marked
Vendors & Products Markedjs
Markedjs marked

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Description Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.
Title Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer
Weaknesses CWE-400
CWE-674
CWE-835
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Marked Project Marked
Markedjs Marked
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T19:08:41.300Z

Reserved: 2026-04-22T03:53:24.406Z

Link: CVE-2026-41680

cve-icon Vulnrichment

Updated: 2026-04-24T19:08:04.324Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T18:16:29.567

Modified: 2026-04-28T19:37:46.943

Link: CVE-2026-41680

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T17:26:27Z

Links: CVE-2026-41680 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses