marked_project CVE Vulnerabilities & Metrics

Focus on marked_project vulnerabilities and metrics.

Last updated: 21 Aug 2025, 22:25 UTC

About marked_project Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with marked_project. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total marked_project CVEs: 10
Earliest CVE date: 27 Jan 2015, 20:04 UTC
Latest CVE date: 23 May 2025, 15:15 UTC

Latest CVE reference: CVE-2018-25110

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical marked_project CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.5

Max CVSS: 7.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	1
4.0-6.9	8
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS marked_project CVEs

These are the five CVEs with the highest CVSS scores for marked_project, sorted by severity first and recency.

CVE-2015-8854 marked_project Published on 23 Jan 2017, 21:59 UTC (CVSS: 7.8)
The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."
CVE-2022-21681 marked_project Published on 14 Jan 2022, 17:15 UTC (CVSS: 5.0)
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaro...
CVE-2022-21680 marked_project Published on 14 Jan 2022, 17:15 UTC (CVSS: 5.0)
Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As...
CVE-2021-21306 marked_project Published on 08 Feb 2021, 22:15 UTC (CVSS: 5.0)
Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.
CVE-2017-16114 marked_project Published on 07 Jun 2018, 02:29 UTC (CVSS: 5.0)
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

All CVEs for marked_project

CVE-2018-25110 marked_project vulnerability CVSS: 0 23 May 2025, 15:15 UTC

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

CVE-2022-21681 marked_project vulnerability CVSS: 5.0 14 Jan 2022, 17:15 UTC

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings and lead to a denial of service (DoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

CVE-2022-21680 marked_project vulnerability CVSS: 5.0 14 Jan 2022, 17:15 UTC

Marked is a markdown parser and compiler. Prior to version 4.0.10, the regular expression `block.def` may cause catastrophic backtracking against some strings and lead to a regular expression denial of service (ReDoS). Anyone who runs untrusted markdown through a vulnerable version of marked and does not use a worker with a time limit may be affected. This issue is patched in version 4.0.10. As a workaround, avoid running untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

CVE-2021-21306 marked_project vulnerability CVSS: 5.0 08 Feb 2021, 22:15 UTC

Marked is an open-source markdown parser and compiler (npm package "marked"). In marked from version 1.1.1 and before version 2.0.0, there is a Regular expression Denial of Service vulnerability. This vulnerability can affect anyone who runs user generated code through marked. This vulnerability is fixed in version 2.0.0.

CVE-2014-3743 marked_project vulnerability CVSS: 4.3 06 Jan 2020, 20:15 UTC

Multiple cross-site scripting (XSS) vulnerabilities in the Marked module before 0.3.1 for Node.js allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) gfm codeblocks (language) or (2) javascript url's.

CVE-2017-16114 marked_project vulnerability CVSS: 5.0 07 Jun 2018, 02:29 UTC

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.

CVE-2016-10531 marked_project vulnerability CVSS: 4.3 31 May 2018, 20:29 UTC

marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `javascript:` URL. This flaw exists because `&#xNNanything;` gets parsed to what it could and leaves the rest behind, resulting in just `anything;` being left.

CVE-2017-1000427 marked_project vulnerability CVSS: 4.3 02 Jan 2018, 23:29 UTC

marked version 0.3.6 and earlier is vulnerable to an XSS attack in the data: URI parser.

CVE-2015-8854 marked_project vulnerability CVSS: 7.8 23 Jan 2017, 21:59 UTC

The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline rule," aka a "regular expression denial of service (ReDoS)."

CVE-2015-1370 marked_project vulnerability CVSS: 4.3 27 Jan 2015, 20:04 UTC

Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link.