Marked: OOM Denial of Service via Infinite Recursion in marked...

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

AI Analysis

Denial of Service (DoS) vulnerability via infinite recursion in marked tokenizer, causing unbounded memory allocation and host application crash

Basic Information

ID CVE-2026-41680

Source GitHub_M

Published Apr 24, 2026 at 17:26

Affected Product

Vendor markedjs

Product marked

Version >= 18.0.0, < 18.0.2

Affected Versions markedjs marked >= 18.0.0, < 18.0.2

CWE Classification

CWE-400 CWE-674 CWE-835

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor markedjs

Product marked

Version 18.0.0-18.0.1

References

github.com /markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7

{
    "lastseen": "",
    "description": "Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\\x09\\x0b\\n)\u2014an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.",
    "published": "2026-04-24T17:26:27.847Z",
    "modified": "2026-04-24T17:26:27.847Z",
    "type": "cve",
    "title": "Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer",
    "source": "GitHub_M",
    "references": "https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7",
    "id": "CVE-2026-41680",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400",
        "CWE-674",
        "CWE-835"
    ],
    "cvelist": null,
    "sourceData": "markedjs marked >= 18.0.0, < 18.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "marked",
    "version": ">= 18.0.0, < 18.0.2",
    "vendor": "markedjs",
    "ai_description": "Denial of Service (DoS) vulnerability via infinite recursion in marked tokenizer, causing unbounded memory allocation and host application crash",
    "ai_severity": "High",
    "ai_vendor": "markedjs",
    "ai_product": "marked",
    "ai_version": "18.0.0-18.0.1",
    "ai_score": 8.7
}

Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer_CVE-2026-41680