Version 15.0.2

marked

A markdown parser and compiler. Built for speed.

Install Instructions

npm install marked
Current Version Release Date November 29, 2024
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/marked@15.0.2

Find marked vulnerabilities in your supply chain.

Scan for Free

marked Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2014-3743 Medium 6.1 CWE-74, CWE-79 0.00243 0.64744
  • 0.0.1–0.3.0
CVE-2015-1370 Medium 4.3 CWE-184, CWE-74 0.00373 0.73471
  • 0.0.1–0.3.2
CVE-2015-8854 High 7.5 CWE-399, CWE-1333, CWE-400 0.00477 0.76494
  • 0.0.1–0.3.3
CVE-2016-10531 Medium 6.1 CWE-79 0.00087 0.38816
  • 0.0.1–0.3.5
CVE-2017-1000427 Medium 6.1 CWE-79 0.00116 0.46737
  • 0.0.1–0.3.6
CVE-2017-16114 High 7.5 CWE-400 0.00116 0.46845
  • 0.0.1–0.3.7
CVE-2022-21680 High 7.5 CWE-1333, CWE-400 0.00356 0.72827
  • 4.0.0–4.0.9
  • 3.0.0–3.0.8
  • 2.0.0–2.1.3
  • 1.0.0–1.2.9
  • 0.0.1–0.8.2
CVE-2022-21681 High 7.5 CWE-1333, CWE-400 0.00225 0.61476
  • 4.0.0–4.0.9
  • 3.0.0–3.0.8
  • 2.0.0–2.1.3
  • 1.0.0–1.2.9
  • 0.0.1–0.8.2
CVE-2021-21306 High 7.5 CWE-400 0.00186 0.57022
  • 1.1.1–1.2.9

marked Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2022-21681 Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. 0.1.9, 0.6.2, 2.1.3, 0.3.19, 4.0.9, 0.7.0, 4.0.6, 4.0.5 (Show all) Major → 4.0.10
CVE-2022-21680 Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources. 0.1.9, 0.6.2, 2.1.3, 0.3.19, 4.0.9, 0.7.0, 4.0.6, 4.0.5 (Show all) Major → 4.0.10
CVE-2021-21306 Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0. 1.1.1, 1.2.5, 1.2.3, 1.2.6, 1.2.8, 1.2.0, 1.2.7, 1.2.1 (Show all) Major → 4.0.10
CVE-2017-16114 The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds. 0.1.9, 0.2.9, 0.2.3, 0.3.5, 0.1.3, 0.0.9, 0.1.8, 0.2.1 (Show all) Major → 4.0.10
CVE-2017-1000427 marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser. 0.1.9, 0.2.9, 0.2.3, 0.3.5, 0.1.3, 0.0.9, 0.1.8, 0.2.1 (Show all) Major → 4.0.10
CVE-2016-10531 marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left. 0.1.9, 0.2.9, 0.2.3, 0.3.5, 0.1.3, 0.0.9, 0.1.8, 0.2.1 (Show all) Major → 4.0.10
CVE-2015-8854 The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)." 0.1.9, 0.2.9, 0.2.3, 0.1.3, 0.0.9, 0.1.8, 0.2.1, 0.0.4 (Show all) Major → 4.0.10
CVE-2015-1370 Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. 0.1.9, 0.2.9, 0.2.3, 0.1.3, 0.0.9, 0.1.8, 0.2.1, 0.0.4 (Show all) Major → 4.0.10
CVE-2014-3743 Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's. 0.1.9, 0.2.9, 0.2.3, 0.1.3, 0.0.9, 0.1.8, 0.2.1, 0.0.4 (Show all) Major → 4.0.10

Instantly see if these marked vulnerabilities affect your code.

Scan for Free