EXECUTIVE SUMMARY:
CVE-2026-41680 with a CVSS score of 8.7 is a critical Denial of Service (DoS) vulnerability, specifically affecting versions 18.0.0 to 18.0.1. The vulnerability arises from a malformed markdown input sequence that triggers an infinite recursion loop in the marked parser, leading to unbounded memory allocation and ultimately causing the host Node.js application to crash via Memory Exhaustion (OOM). An unauthenticated attacker can exploit this vulnerability by sending a specifically crafted 3-byte input sequence, consisting of a tab, a vertical tab, and a newline, via a network attack vector with low complexity, requiring no privileges or user interaction. By doing so, the attacker gains the capability to remotely crash the service, resulting in a total loss of availability. The business impact of this vulnerability is significant, as any application, API, chatbot, or documentation system using the vulnerable versions to parse untrusted user input is vulnerable, making it crucial to upgrade to prevent exploitation. The prerequisites for exploitation are virtually none, as the payload requires zero authentication and only 3 bytes of data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41680 with a CVSS score of 8.7 is a critical Denial of Service (DoS) vulnerability, specifically affecting versions 18.0.0 to 18.0.1. The vulnerability arises from a malformed markdown input sequence that triggers an infinite recursion loop in the marked parser, leading to unbounded memory allocation and ultimately causing the host Node.js application to crash via Memory Exhaustion (OOM). An unauthenticated attacker can exploit this vulnerability by sending a specifically crafted 3-byte input sequence, consisting of a tab, a vertical tab, and a newline, via a network attack vector with low complexity, requiring no privileges or user interaction. By doing so, the attacker gains the capability to remotely crash the service, resulting in a total loss of availability. The business impact of this vulnerability is significant, as any application, API, chatbot, or documentation system using the vulnerable versions to parse untrusted user input is vulnerable, making it crucial to upgrade to prevent exploitation. The prerequisites for exploitation are virtually none, as the payload requires zero authentication and only 3 bytes of data.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update marked to version 18.0.2.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6v9c-7cg6-27q7