Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/marked@0.3.4
purl pkg:npm/marked@0.3.4
Next non-vulnerable version 4.0.10
Latest non-vulnerable version 18.0.2
Risk 4.0
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-1vxb-uvrf-63fn
Aliases:
GMS-2016-24
Sanitization bypass using HTML Entities Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.
0.3.6
Affected by 7 other vulnerabilities.
VCID-686c-bk5y-k7gr
Aliases:
CVE-2018-25110
GHSA-p9wx-2529-fp83
Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.
0.3.17
Affected by 3 other vulnerabilities.
VCID-8wcn-cw8p-57e8
Aliases:
CVE-2017-16114
GHSA-x5pg-88wf-qq4p
Regular Expression Denial of Service in marked
0.3.9
Affected by 3 other vulnerabilities.
VCID-9wvm-us1k-6bhs
Aliases:
CVE-2022-21680
GHSA-rrrm-qjm4-v8hf
Inefficient Regular Expression Complexity in marked
4.0.10
Affected by 0 other vulnerabilities.
VCID-bcyk-4f2v-xkdv
Aliases:
CVE-2017-17461
GHSA-crmx-v835-hcp4
Moderate severity vulnerability that affects marked
0.3.9
Affected by 3 other vulnerabilities.
VCID-e79f-8rxd-q3e6
Aliases:
CVE-2016-10531
GHSA-vfvf-mqq8-rwqc
Sanitization bypass using HTML Entities in marked
0.3.6
Affected by 7 other vulnerabilities.
VCID-fczp-sf61-7bft
Aliases:
GMS-2017-212
Regular Expression Denial of Service The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
0.3.9
Affected by 3 other vulnerabilities.
VCID-qf5t-nkv6-duac
Aliases:
CVE-2022-21681
GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked
4.0.10
Affected by 0 other vulnerabilities.
VCID-uqqa-ue5d-fyc3
Aliases:
CVE-2017-1000427
GHSA-7px7-7xjx-hxm8
Marked vulnerable to XSS from data URIs
0.3.7
Affected by 5 other vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-dn5c-n7r6-pqb4 Regular expression denial of service Marked is vulnerable to regular expression denial of service (ReDoS) when certain types of input are passed in to be parsed. GMS-2015-1
VCID-jmm3-pphv-nygr Regular Expression Denial of Service in marked CVE-2015-8854
GHSA-hjcp-j389-59ff

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T20:02:14.279409+00:00 GitLab Importer Affected by VCID-686c-bk5y-k7gr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2018-25110.yml 38.6.0
2026-06-12T17:55:53.295175+00:00 GitLab Importer Affected by VCID-9wvm-us1k-6bhs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2022-21680.yml 38.6.0
2026-06-12T17:55:50.132796+00:00 GitLab Importer Affected by VCID-qf5t-nkv6-duac https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2022-21681.yml 38.6.0
2026-06-12T17:00:49.436889+00:00 GitLab Importer Affected by VCID-8wcn-cw8p-57e8 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2017-16114.yml 38.6.0
2026-06-12T16:59:24.801286+00:00 GitLab Importer Affected by VCID-e79f-8rxd-q3e6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2016-10531.yml 38.6.0
2026-06-12T16:56:47.814441+00:00 GitLab Importer Affected by VCID-bcyk-4f2v-xkdv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2017-17461.yml 38.6.0
2026-06-12T16:56:38.424994+00:00 GitLab Importer Affected by VCID-uqqa-ue5d-fyc3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2017-1000427.yml 38.6.0
2026-06-12T16:54:20.097371+00:00 GitLab Importer Affected by VCID-fczp-sf61-7bft https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/GMS-2017-212.yml 38.6.0
2026-06-12T16:50:00.797865+00:00 GitLab Importer Affected by VCID-1vxb-uvrf-63fn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/GMS-2016-24.yml 38.6.0
2026-06-12T15:40:08.032474+00:00 GitLab Importer Fixing VCID-jmm3-pphv-nygr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2015-8854.yml 38.6.0
2026-06-12T15:39:11.979144+00:00 GitLab Importer Fixing VCID-dn5c-n7r6-pqb4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/GMS-2015-1.yml 38.6.0
2026-06-12T07:52:16.228984+00:00 GithubOSV Importer Fixing VCID-jmm3-pphv-nygr https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-hjcp-j389-59ff/GHSA-hjcp-j389-59ff.json 38.6.0
2026-06-12T07:19:02.500077+00:00 Npm Importer Fixing VCID-jmm3-pphv-nygr https://github.com/nodejs/security-wg/blob/main/vuln/npm/23.json 38.6.0
2026-06-11T20:23:45.059262+00:00 GHSA Importer Fixing VCID-jmm3-pphv-nygr https://github.com/advisories/GHSA-hjcp-j389-59ff 38.6.0