VYPR
← All advisories
Moderate severityOSV Advisory· Published May 23, 2025· Updated May 23, 2025

Regular Expression Denial of Service (ReDoS) in markedjs/marked

CVE-2018-25110

Description

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Marked prior to 0.3.17 is vulnerable to a ReDoS attack from catastrophic backtracking in regexes for HTML tags and markdown links, causing denial of service.

Vulnerability

CVE-2018-25110 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Marked markdown parser, affecting versions prior to 0.3.17. The root cause is catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links [1]. Specifically, the vulnerable regexes were identified in the block.closing, inline.tag, inline.nolink, and inline._inside patterns, which could be triggered by crafted input such as deeply nested brackets or repetitive tag attributes [2][3].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted markdown document to a server or application that uses the vulnerable version of Marked. The malicious input causes the regex engine to enter a state of catastrophic backtracking, consuming excessive CPU time and potentially causing the process to hang [1]. The attack requires no authentication and can be delivered via any channel that accepts markdown input, such as web forms, API endpoints, or chat applications [2].

Impact

Successful exploitation leads to a Denial of Service (DoS) condition, where the affected server becomes unresponsive to legitimate requests. Since Marked is often used in server-side environments (e.g., Node.js web servers) to render user-generated markdown, this vulnerability could be used to disrupt service availability [2][4]. The attacker does not gain code execution or data access, but the service disruption can have significant operational impact.

Mitigation

The vulnerability was patched in Marked version 0.3.17, released on 2017-07-17, which contains fixes to the affected regular expressions [3]. Users are advised to upgrade to at least version 0.3.17 or later. There is no indication that CVE-2018-25110 is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. No workarounds are available other than upgrading.

References
  1. NVD - CVE-2018-25110
  2. Backtracking vulnerability
  3. Merge pull request #1083 from davisjam/REDOSTests · markedjs/marked@20bfc10
  4. GitHub - markedjs/marked: A markdown parser and compiler. Built for speed.

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
markednpm
< 0.3.170.3.17

Affected products

1

Patches

1
20bfc106013e

Merge pull request #1083 from davisjam/REDOSTests

https://github.com/markedjs/markedJosh BruceFeb 27, 2018via ghsa
commit
8 files changed · +12 5
  • lib/marked.js+4 4 modified
    @@ -55,7 +55,7 @@ block._tag = '(?!(?:'
 block.html = edit(block.html)
   .replace('comment', /<!--[\s\S]*?-->/)
   .replace('closed', /<(tag)[\s\S]+?<\/\1>/)
-  .replace('closing', /<tag(?:"[^"]*"|'[^']*'|\s[^'"\/>]*)*?\/?>/)
+  .replace('closing', /<tag(?:"[^"]*"|'[^']*'|\s[^'"\/>\s]*)*?\/?>/)
   .replace(/tag/g, block._tag)
   .getRegex();
 
@@ -461,10 +461,10 @@ var inline = {
   escape: /^\\([\\`*{}\[\]()#+\-.!_>])/,
   autolink: /^<(scheme:[^\s\x00-\x1f<>]*|email)>/,
   url: noop,
-  tag: /^<!--[\s\S]*?-->|^<\/?[a-zA-Z0-9\-]+(?:"[^"]*"|'[^']*'|\s[^<'">\/]*)*?\/?>/,
+  tag: /^<!--[\s\S]*?-->|^<\/?[a-zA-Z0-9\-]+(?:"[^"]*"|'[^']*'|\s[^<'">\/\s]*)*?\/?>/,
   link: /^!?\[(inside)\]\(href\)/,
   reflink: /^!?\[(inside)\]\s*\[([^\]]*)\]/,
-  nolink: /^!?\[((?:\[[^\]]*\]|\\[\[\]]|[^\[\]])*)\]/,
+  nolink: /^!?\[((?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]])*)\]/,
   strong: /^__([\s\S]+?)__(?!_)|^\*\*([\s\S]+?)\*\*(?!\*)/,
   em: /^_([^\s_](?:[^_]|__)+?[^\s_])_\b|^\*((?:\*\*|[^*])+?)\*(?!\*)/,
   code: /^(`+)\s*([\s\S]*?[^`]?)\s*\1(?!`)/,
@@ -481,7 +481,7 @@ inline.autolink = edit(inline.autolink)
   .replace('email', inline._email)
   .getRegex()
 
-inline._inside = /(?:\[[^\]]*\]|\\[\[\]]|[^\[\]]|\](?=[^\[]*\]))*/;
+inline._inside = /(?:\[[^\[\]]*\]|\\[\[\]]|[^\[\]]|\](?=[^\[]*\]))*/;
 inline._href = /\s*<?([\s\S]*?)>?(?:\s+['"]([\s\S]*?)['"])?\s*/;
 
 inline.link = edit(inline.link)
  • test/index.js+6 1 modified
    @@ -110,8 +110,13 @@ function runTests(engine, options) {
   for (i = 0; i < len; i++) {
     filename = filenames[i];
     file = files[filename];
+
+    var before = process.hrtime();
     success = testFile(engine, file, filename, i + 1);
-    if (success) {
+    var elapsed = process.hrtime(before);
+    var tookLessThanOneSec = (elapsed[0] === 0);
+
+    if (success && tookLessThanOneSec) {
       succeeded++;
     } else {
       failed++;
  • test/new/headings_id.html+0 0 renamed
  • test/new/headings_id.md+0 0 renamed
  • test/new/redos_html_closing.html+0 0 added
  • test/new/redos_html_closing.md+1 0 added
    @@ -0,0 +1 @@
+<tag  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""  ""<" />a'a
  • test/new/redos_nolink.html+0 0 added
  • test/new/redos_nolink.md+1 0 added
    @@ -0,0 +1 @@
+![\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]\[[]!\

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.