Advisories for Nuget/Marked package

2022

Inefficient Regular Expression Complexity

The regular expression block.def may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time …

Inefficient Regular Expression Complexity

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to …

2021

Uncontrolled Resource Consumption

Marked is an open-source markdown parser and compiler. In marked from and, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed

2020
2018

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

marked is an application that is meant to parse and compile markdown. Due to the way that marked parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (sanitize: true) to inject a javascript: URL. This flaw exists because &#xNNanything; gets parsed to what it could and leaves the rest behind, resulting in just anything; being left.

2015