CVE-2018-25110

MEDIUM EPSS 38.6%
Published May 23, 20251y ago · Modified Jun 17, 20261w ago
6.9 CVSS 4.0
Medium
Find Similar
Published May 23, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

Marked prior to version 0.3.17 is vulnerable to a Regular Expression Denial of Service (ReDoS) attack due to catastrophic backtracking in several regular expressions used for parsing HTML tags and markdown links. An attacker can exploit this vulnerability by providing specially crafted markdown input, such as deeply nested or repetitively structured brackets or tag attributes, which cause the parser to hang and lead to a Denial of Service.

CVSS Details

Base Score
6.9
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
38.6% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-1333

Affected Products 1

VendorProductVersionRange
marked_projectmarked* <0.3.17

References 4

  • github.com https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110
    ExploitThird Party Advisory
  • github.com https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485
    Patch
  • github.com https://github.com/markedjs/marked/issues/1070
    Issue TrackingThird Party Advisory
  • github.com https://github.com/markedjs/marked/pull/1083
    Issue TrackingPatch

Remediation

  • github.com https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485
    Patch
  • github.com https://github.com/markedjs/marked/pull/1083
    Issue TrackingPatch