CVE-2018-25110Regex Denial of Service in Project Marked

CWE-1333Regex Denial of Service5 documents4 sources
Severity
6.9MEDIUMNVD
EPSS
0.8%
top 26.37%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Marked Project MarkedDebian Node-marked
Timeline
PublishedMay 23

Description

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages3 packages

debiandebian/node-marked< node-marked 0.5.1+dfsg-1 (bookworm)
NVDmarked_project/marked< 0.3.17
npmmarked_project/marked< 0.3.17

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
OSV
Marked allows Regular Expression Denial of Service (ReDoS) attacks2025-05-23
OSV
CVE-2018-25110: Marked prior to version 02025-05-23
GHSA
Marked allows Regular Expression Denial of Service (ReDoS) attacks2025-05-23

📋Vendor Advisories

1
Debian
CVE-2018-25110: node-marked - Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of S...2018