VulnerableCode Package Details - pkg:npm/marked@0.3.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-8sge-yv9a-gyf7 Aliases: GMS-2017-212	Regular Expression Denial of Service The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.	0.3.9 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ahdy-enkb-qucy Aliases: CVE-2017-17461 GHSA-crmx-v835-hcp4	Moderate severity vulnerability that affects marked REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.	0.3.9 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-awq5-34c9-tkes Aliases: CVE-2022-21681 GHSA-5v2h-r2cx-5xgj	Inefficient Regular Expression Complexity The regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.	4.0.10 Affected by 0 other vulnerabilities.
VCID-b8e2-2cre-2bbt Aliases: CVE-2018-25110 GHSA-p9wx-2529-fp83	Marked allows Regular Expression Denial of Service (ReDoS) attacks Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.	0.3.17 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-edfz-a78w-13dh Aliases: CVE-2017-1000427 GHSA-7px7-7xjx-hxm8	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') marked is vulnerable to an XSS attack in the data: URI parser.	0.3.7 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gzan-ec95-93ex Aliases: CVE-2017-16114 GHSA-x5pg-88wf-qq4p	Uncontrolled Resource Consumption The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.	0.3.9 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-xf3w-qz3m-h7fv Aliases: CVE-2022-21680 GHSA-rrrm-qjm4-v8hf	Inefficient Regular Expression Complexity The regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.	4.0.10 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-8sge-yv9a-gyf7
Aliases:
GMS-2017-212

Regular Expression Denial of Service The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

0.3.9
Affected by 3 other vulnerabilities.

VCID-ahdy-enkb-qucy
Aliases:
CVE-2017-17461
GHSA-crmx-v835-hcp4

Moderate severity vulnerability that affects marked ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

0.3.9
Affected by 3 other vulnerabilities.

VCID-awq5-34c9-tkes
Aliases:
CVE-2022-21681
GHSA-5v2h-r2cx-5xgj

Inefficient Regular Expression Complexity The regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

4.0.10
Affected by 0 other vulnerabilities.

VCID-b8e2-2cre-2bbt
Aliases:
CVE-2018-25110
GHSA-p9wx-2529-fp83

Marked allows Regular Expression Denial of Service (ReDoS) attacks Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

0.3.17
Affected by 3 other vulnerabilities.

VCID-edfz-a78w-13dh
Aliases:
CVE-2017-1000427
GHSA-7px7-7xjx-hxm8

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') marked is vulnerable to an XSS attack in the data: URI parser.

0.3.7
Affected by 5 other vulnerabilities.

VCID-gzan-ec95-93ex
Aliases:
CVE-2017-16114
GHSA-x5pg-88wf-qq4p

Uncontrolled Resource Consumption The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

0.3.9
Affected by 3 other vulnerabilities.

VCID-xf3w-qz3m-h7fv
Aliases:
CVE-2022-21680
GHSA-rrrm-qjm4-v8hf

Inefficient Regular Expression Complexity The regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

4.0.10
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5bd3-3bhj-e7hr	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.	CVE-2016-10531 GHSA-vfvf-mqq8-rwqc
VCID-7hw9-qfnv-gkcr	Sanitization bypass using HTML Entities Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.	GMS-2016-24

Vulnerability

Summary

Aliases

VCID-5bd3-3bhj-e7hr

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

CVE-2016-10531
GHSA-vfvf-mqq8-rwqc

VCID-7hw9-qfnv-gkcr

Sanitization bypass using HTML Entities Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

GMS-2016-24

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T23:11:36.728689+00:00	GHSA Importer	Affected by	VCID-gzan-ec95-93ex	https://github.com/advisories/GHSA-x5pg-88wf-qq4p	38.6.0
2026-06-06T23:10:22.298512+00:00	GHSA Importer	Affected by	VCID-edfz-a78w-13dh	https://github.com/advisories/GHSA-7px7-7xjx-hxm8	38.6.0
2026-06-06T05:50:28.792447+00:00	GitLab Importer	Affected by	VCID-b8e2-2cre-2bbt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2018-25110.yml	38.6.0
2026-06-06T01:17:58.726868+00:00	GitLab Importer	Affected by	VCID-xf3w-qz3m-h7fv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2022-21680.yml	38.6.0
2026-06-06T01:17:50.561218+00:00	GitLab Importer	Affected by	VCID-awq5-34c9-tkes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2022-21681.yml	38.6.0
2026-06-05T21:08:36.690193+00:00	GHSA Importer	Fixing	VCID-5bd3-3bhj-e7hr	https://github.com/advisories/GHSA-vfvf-mqq8-rwqc	38.6.0
2026-06-04T20:12:59.077837+00:00	GitLab Importer	Affected by	VCID-gzan-ec95-93ex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2017-16114.yml	38.6.0
2026-06-04T20:10:44.556530+00:00	GitLab Importer	Affected by	VCID-ahdy-enkb-qucy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2017-17461.yml	38.6.0
2026-06-04T20:08:58.996749+00:00	GitLab Importer	Affected by	VCID-8sge-yv9a-gyf7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/GMS-2017-212.yml	38.6.0
2026-06-04T17:42:05.108486+00:00	GithubOSV Importer	Fixing	VCID-5bd3-3bhj-e7hr	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/02/GHSA-vfvf-mqq8-rwqc/GHSA-vfvf-mqq8-rwqc.json	38.6.0
2026-06-02T04:37:44.518796+00:00	GitLab Importer	Fixing	VCID-5bd3-3bhj-e7hr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2016-10531.yml	38.6.0
2026-06-02T04:37:24.146100+00:00	GitLab Importer	Affected by	VCID-edfz-a78w-13dh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/CVE-2017-1000427.yml	38.6.0
2026-06-02T04:36:32.849771+00:00	GitLab Importer	Fixing	VCID-7hw9-qfnv-gkcr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/marked/GMS-2016-24.yml	38.6.0