CVE-2026-41680— Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

N/A

未加控制的资源消耗(资源穷尽)

marked 资源管理错误漏洞

marked是美国Christopher Jeffrey个人开发者的一款使用JavaScript编写的Markdown解析器和编译器。 marked 18.0.0版本至18.0.1版本存在资源管理错误漏洞，该漏洞源于解析特定3字节输入序列时触发无限递归循环，导致无限制内存分配，造成Node.js应用因内存耗尽崩溃。

N/A

N/A