CVE-2026-41680
Published: 24 April 2026
Summary
CVE-2026-41680 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Marked Project Marked. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-41680 is a critical Denial of Service (DoS) vulnerability in the Marked markdown parser and compiler, affecting versions 18.0.0 through 18.0.1. The flaw arises from an infinite recursion loop triggered by a specific three-byte input sequence—a tab (\x09), a vertical tab (\x0b), and a newline (\n)—during parsing. This causes unbounded memory allocation, resulting in memory exhaustion (OOM) and a crash of the host Node.js application. The vulnerability is associated with CWEs-400 (Uncontrolled Resource Consumption), CWE-674 (Uncontrolled Recursion), and CWE-835 (Infinite Loop), and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By supplying the malicious three-byte sequence to a Marked parser in a Node.js application—such as in web servers, APIs, or tools that process untrusted Markdown input—the attacker triggers the recursion loop, leading to complete denial of service through application crash.
The official GitHub security advisory (GHSA-6v9c-7cg6-27q7) confirms the issue and states that it is fixed in Marked version 18.0.2. Security practitioners should upgrade to 18.0.2 or later and audit dependencies in Node.js projects using Marked for user-supplied Markdown parsing.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25585
Vulnerability details
Marked is a markdown parser and compiler. From 18.0.0 to 18.0.1, a critical Denial of Service (DoS) vulnerability exists in marked. By providing a specific 3-byte input sequence a tab, a vertical tab, and a newline (\x09\x0b\n)—an unauthenticated attacker can…
more
trigger an infinite recursion loop during parsing. This leads to unbounded memory allocation, causing the host Node.js application to crash via Memory Exhaustion (OOM). This vulnerability is fixed in 18.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of public-facing applications (T1190) processing untrusted Markdown input, directly facilitating endpoint DoS via application exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation requires timely patching of the Marked library to version 18.0.2, directly eliminating the infinite recursion vulnerability causing memory exhaustion.
Resource availability protections allocate dedicated resources and prevent exhaustion from unbounded memory allocation triggered by the malicious input sequence.
Information input validation detects and rejects the specific three-byte sequence (\x09\x0b\n) before it reaches the Marked parser, preventing the recursion loop.