Versions of marked from 0.3.14 until 0.6.2 are vulnerable to Regular Expression Denial of Service. Email addresses may be evaluated in quadratic time, allowing attackers to potentially crash the node process due to resource exhaustion.
Recommendation
Upgrade to version 0.6.2 or later.
References
- https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d
- https://github.com/markedjs/marked/pull/1460
- https://snyk.io/vuln/SNYK-JS-MARKED-174116
- https://www.npmjs.com/advisories/812
- https://github.com/markedjs/marked/releases/tag/v0.6.2
- https://github.com/advisories/GHSA-xf5p-87ch-gxw2