Skip to content

marked-0.3.5.tgz: 9 vulnerabilities (highest severity is: 7.5) [master] (reachable) #1

New issue
New issue
Open
Open
marked-0.3.5.tgz: 9 vulnerabilities (highest severity is: 7.5) [master] (reachable)#1
@renovate

Description

@renovate
renovate
bot
opened on Oct 21, 2025
📂 Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2018-25110 🔴 High 7.5 Not Defined < 1% marked-0.3.5.tgz Direct https://github.com/markedjs/marked.git - v0.3.17 Reachable
CVE-2022-21680 🔴 High 7.5 Not Defined < 1% marked-0.3.5.tgz Direct marked - 4.0.10 Reachable
CVE-2022-21681 🔴 High 7.5 Not Defined < 1% marked-0.3.5.tgz Direct marked - 4.0.10 Reachable
WS-2018-0031 🔴 High 7.1 N/A N/A marked-0.3.5.tgz Direct 0.3.6 Reachable
WS-2019-0025 🟠 Medium 6.1 N/A N/A marked-0.3.5.tgz Direct 0.3.9 Reachable
WS-2019-0026 🟠 Medium 6.1 N/A N/A marked-0.3.5.tgz Direct 0.3.9 Reachable
WS-2020-0163 🟠 Medium 5.9 N/A N/A marked-0.3.5.tgz Direct marked - 1.1.1 Reachable
WS-2018-0628 🟠 Medium 5.3 N/A N/A marked-0.3.5.tgz Direct marked - 0.4.0 Reachable
WS-2019-0027 🟠 Medium 5.3 N/A N/A marked-0.3.5.tgz Direct 0.3.18 Reachable

Details

🔴CVE-2018-25110

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

Publish Date: May 23, 2025 02:53 PM

URL: CVE-2018-25110

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@20bfc10

Release Date: May 23, 2025 02:53 PM

Fix Resolution : https://github.com/markedjs/marked.git - v0.3.17

🔴CVE-2022-21680

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression "block.def" may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jan 14, 2022 12:00 AM

URL: CVE-2022-21680

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-rrrm-qjm4-v8hf

Release Date: Jan 14, 2022 12:00 AM

Fix Resolution : marked - 4.0.10

🔴CVE-2022-21681

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression "inline.reflinkSearch" may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jan 14, 2022 12:00 AM

URL: CVE-2022-21681

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-5v2h-r2cx-5xgj

Release Date: Jan 14, 2022 12:00 AM

Fix Resolution : marked - 4.0.10

🔴WS-2018-0031

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

The affected versions (through 0.3.5) in marked package are vulnerable to Cross-Site Scripting (XSS) Due To Sanitization Bypass Using HTML Entities

Publish Date: Mar 23, 2018 07:10 AM

URL: WS-2018-0031

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked#592

Release Date: Mar 23, 2018 07:10 AM

Fix Resolution : 0.3.6

🟠WS-2019-0025

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

Versions 0.3.7 and earlier of marked When mangling is disabled via option mangle don't escape target href are vulnerable to XSS, which allows an attacker to inject arbitrary code.

Publish Date: Dec 23, 2017 05:13 AM

URL: WS-2019-0025

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 6.1

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@cb72584

Release Date: Dec 23, 2017 05:13 AM

Fix Resolution : 0.3.9

🟠WS-2019-0026

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

Versions 0.3.7 and earlier of marked suuport unescaping of only lowercase, which may lead to XSS.

Publish Date: Dec 23, 2017 04:59 AM

URL: WS-2019-0026

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 6.1

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@6d1901f

Release Date: Dec 23, 2017 04:59 AM

Fix Resolution : 0.3.9

🟠WS-2020-0163

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

marked before 1.1.1 is vulnerable to Regular Expression Denial of Service (REDoS). rules.js have multiple unused capture groups which can lead to a Denial of Service.

Publish Date: Jul 02, 2020 12:00 AM

URL: WS-2020-0163

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 5.9

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/v1.1.1

Release Date: Jul 02, 2020 12:00 AM

Fix Resolution : marked - 1.1.1

🟠WS-2018-0628

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

marked before 0.4.0 is vulnerable to Regular Expression Denial of Service (REDoS) through heading in marked.js.

Publish Date: Apr 16, 2018 12:00 AM

URL: WS-2018-0628

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 5.3

Suggested Fix

Type: Upgrade version

Origin: https://github.com/markedjs/marked/releases/tag/0.4.0

Release Date: Apr 16, 2018 12:00 AM

Fix Resolution : marked - 0.4.0

🟠WS-2019-0027

Vulnerable Library - marked-0.3.5.tgz

A markdown parser built for speed

Library home page: https://registry.npmjs.org/marked/-/marked-0.3.5.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • marked-0.3.5.tgz (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- owasp-nodejs-goat-1.3.0/server.js (Application)
    -> ❌ marked-0.3.5/lib/marked.js (Vulnerable Component)

Vulnerability Details

Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.

Publish Date: Feb 26, 2018 04:06 PM

URL: WS-2019-0027

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 5.3

Suggested Fix

Type: Upgrade version

Origin: markedjs/marked@b15e42b

Release Date: Feb 26, 2018 04:06 PM

Fix Resolution : 0.3.18

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions