CVE-2026-41680: Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

April 29, 2026

A critical Denial of Service (DoS) vulnerability exists in marked@18.0.0. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM).

References

github.com/advisories/GHSA-6v9c-7cg6-27q7
github.com/markedjs/marked
github.com/markedjs/marked/security/advisories/GHSA-6v9c-7cg6-27q7
nvd.nist.gov/vuln/detail/CVE-2026-41680

Code Behaviors & Features

Detect and mitigate CVE-2026-41680 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →