CVE-2026-41680: Denial of Service via Infinite Recursion in marked Lexer
Vulnerability ID: CVE-2026-41680
CVSS Score: 7.5
Published: 2026-04-29
The marked Node.js Markdown parser versions 18.0.0 and 18.0.1 contain a critical vulnerability where a specific 3-byte sequence triggers infinite recursion. This flaw leads to rapid memory exhaustion and application denial of service.
TL;DR
Unauthenticated DoS in marked via a 3-byte payload (\t\v\n) causing infinite loops and Out-of-Memory crashes.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-835, CWE-400
- Attack Vector: Network
- CVSS v3.1: 7.5 (High)
- EPSS Score: 0.07%
- Impact: Denial of Service (OOM)
- Exploit Status: PoC Available
Affected Systems
- Node.js applications running marked versions 18.0.0 through 18.0.1
- Systems processing untrusted Markdown input via affected marked versions
-
marked: 18.0.0 - 18.0.1 (Fixed in:
18.0.2)
Code Analysis
Commit: 58a52e8
Implemented progress guard in src/Lexer.ts to track srcLength and prevent infinite loops, plus updated whitespace helpers.
Exploit Details
- Research Report: 3-byte payload comprising Tab (\x09), Vertical Tab (\x0b), and Newline (\n)
Mitigation Strategies
- Dependency Upgrade
- Input Sanitization
- Network Traffic Filtering
- Process Management
Remediation Steps:
- Audit application dependencies using
npm auditor equivalent tools to identify vulnerable versions of themarkedlibrary. - Upgrade the
markedpackage to version 18.0.2 or later in all application environments. - If patching is delayed, implement middleware to sanitize user input by stripping the Vertical Tab (\x0b) character.
- Deploy WAF rules to block incoming payloads containing the
\x09\x0b\x0abyte sequence. - Configure appropriate memory limits and automatic restart policies for Node.js processes.
References
Read the full report for CVE-2026-41680 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)