CVE-2014-3743
Description
Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Marked module before 0.3.1 for Node.js contains multiple XSS flaws via GFM codeblock language or javascript URLs.
Overview
CVE-2014-3743 describes multiple cross-site scripting (XSS) vulnerabilities in the Marked module for Node.js prior to version 0.3.1. The flaws exist in the handling of GFM (GitHub Flavored Markdown) codeblocks and javascript URLs, allowing injection of arbitrary web script or HTML.
Exploitation
Attackers can exploit these vulnerabilities by crafting markdown input that includes malicious code in the language field of GFM codeblocks or in javascript URLs. When the markdown is rendered by the Marked module, the injected script executes in the context of the user's browser. No authentication is required if the application accepts user-supplied markdown.
Impact
Successful exploitation permits the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session theft, defacement, or other malicious actions.
Mitigation
Users are advised to upgrade to Marked version 0.3.1 or later, which includes patches for these XSS vectors. No workarounds are known.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
markednpm | < 0.3.1 | 0.3.1 |
Affected products
2- Node.js/Markeddescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-9cw2-jqp5-7x39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-1850ghsaADVISORY
- www.openwall.com/lists/oss-security/2014/05/13/1mitrex_refsource_MISC
- www.openwall.com/lists/oss-security/2014/05/15/2mitrex_refsource_MISC
- bugzilla.redhat.com/show_bug.cgimitrex_refsource_MISC
- nodesecurity.io/advisories/marked_multiple_content_injection_vulnerabilitiesmitrex_refsource_MISC
- www.npmjs.com/advisories/22ghsaWEB
News mentions
0No linked articles in our index yet.