Critical Denial of Service (DoS) vulnerability in Marked markdown parser (CVE-2026-41680)

A critical Denial of Service (DoS) vulnerability, tracked as CVE-2026-41680, has been identified in Marked, a markdown parser and compiler, affecting versions 18.0.0 to 18.0.1. An unauthenticated attacker can trigger an infinite recursion loop with a specific 3-byte input, leading to unbounded memory allocation and a crash of the host Node.js application. The vulnerability is fixed in Marked version 18.0.2.

Context

Marked is a widely used markdown parser and compiler in the Node.js ecosystem. The vulnerability, identified as CVE-2026-41680, affects versions 18.0.0 to 18.0.1. It enables attackers to create an infinite recursion loop, which can crash applications and lead to unbounded memory usage.

Why it matters

The critical DoS vulnerability in the Marked markdown parser poses significant risks to applications using affected versions. It allows unauthenticated attackers to exploit the flaw, potentially leading to service outages. This could disrupt operations for businesses relying on the markdown parser for content rendering.

Implications

If left unaddressed, the vulnerability could lead to widespread disruptions for applications utilizing the affected versions of Marked. Organizations that rely on these applications may face downtime and loss of service. The incident highlights the importance of timely updates and vulnerability management in software development.

What to watch

Users of the Marked markdown parser should update to version 18.0.2 or later to mitigate the vulnerability. Monitoring for any reported attacks exploiting this flaw will be important in the near term. Additionally, developers may need to assess their applications for potential exposure.