Marked Project Marked vulnerabilities

CVE-2018-25110 [MEDIUM] CWE-1333 CVE-2018-25110: Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attac Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structure

CVE-2022-21680 [HIGH] CWE-400 CVE-2022-21680: Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected.

CVE-2022-21681 [HIGH] CWE-400 CVE-2022-21681: Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.re Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issu

CVE-2021-21306 [HIGH] CWE-400 CVE-2021-21306: Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

CVE-2014-3743 [MEDIUM] CWE-79 CVE-2014-3743: Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js al Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

CVE-2017-16114 [HIGH] CWE-400 CVE-2017-16114: The marked module is vulnerable to a regular expression denial of service. Based on the information The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

CVE-2016-10531 [MEDIUM] CWE-79 CVE-2016-10531: marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3 marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves t

CVE-2017-17461 [MEDIUM] Moderate severity vulnerability that affects marked Moderate severity vulnerability that affects marked # Withdrawn This advisory has been withdrawn, per NVD: ["This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue."](https://nvd.nist.gov/vuln/detail/CVE-2017-17461) # Original Description A Regular expression Denial of Service (ReDoS) vulnerability in the file marked.js of the marked npm package (tested on version 0.3.7

CVE-2017-1000427 [MEDIUM] CWE-79 CVE-2017-1000427: marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

CVE-2015-8854 [HIGH] CWE-1333 CVE-2015-8854: The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consu The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."

CVE-2015-1370 [MEDIUM] CVE-2015-1370: Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers t Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.