high severity

Content & Code Injection (XSS)

Affected package Vulnerable versions Latest version Snyk patch
marked <0.3.6 0.3.6 Available


marked is a markdown parser and compiler used for rendering markdown content to html. It is vulnerable to content injection attack allowing the attacker to bypass its output sanitization (sanitize: true) protection. Using the HTML Coded Character Set, attackers can inject javascript: code snippets into the output. For example, the following input javascript&#x58document;alert&#40;1&#41; will result in alert(1) being executed when the user clicks on the link.


Upgrade marked to version 0.3.6 or higher. Also, you can patch the vulnerability using Snyk wizard. Alternatively you can use remarkable or other markdown libraries.


Snyk patch

Available for versions: