Nixpkgs security tracker

Dismissed

(not in Nixpkgs)

Permalink CVE-2026-41680

updated 4 weeks, 1 day ago by @LeSuisse Activity log

Created suggestion 1 month ago
@LeSuisse dismissed (not in Nixpkgs) 4 weeks, 1 day ago

Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer

Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.

References

https://github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7 x_refsource_CONFIRMexploit

Affected products

marked

==>= 18.0.0, < 18.0.2

Matching in nixpkgs

pkgs.marked-man

Markdown to roff wrapper around marked

nixos-unstable 2.1.0
- nixpkgs-unstable 2.1.0
- nixos-unstable-small 2.1.0
nixos-25.11 2.1.0
- nixos-25.11-small 2.1.0
- nixpkgs-25.11-darwin 2.1.0

pkgs.haskellPackages.yaml-marked

Support for parsing and rendering YAML documents with marks

nixos-unstable 0.2.0.1
- nixpkgs-unstable 0.2.0.1
- nixos-unstable-small 0.2.0.1
nixos-25.11 0.2.0.1
- nixos-25.11-small 0.2.0.1
- nixpkgs-25.11-darwin 0.2.0.1

Package maintainers

@Atemu Atemu <nixpkgs@mail.atemu.net>