Brian hibrian827

## README.md

      
              2 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                hibrian827
                / README.md
            
            
              Created
              April 15, 2026 21:17
            
              
                Report of Potential DoS in marked.js
              
          
    marked: Quadratic DoS via Escaped Punctuation

Summary

Lexer.inlineTokens in marked rebuilds maskedSrc from scratch for every backslash-escaped punctuation match, producing O(n^2) behavior. A sub-200 KB input ties up the parser for 12+ seconds.
Affected


Project: markedjs/marked
Tested versions: 13.0.3 and 18.0.0 (latest as of 2026-04-15) — both vulnerable


## READMD.md

      
              4 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                hibrian827
                / READMD.md
            
            
              Created
              April 15, 2026 20:50
            
              
                Report on potential validation bypass in isUrl() of validator.js
              
          
    validator.js: Host Whitelist Bypass via Backslash Authority Confusion

Summary

validator.isURL() with host_whitelist can be bypassed using backslashes as authority separators. The input http:\evil.test\@allowed.test/ passes the allowed.test whitelist, but WHATWG-compatible sinks (Node http.get, browsers) resolve the host as evil.test.
Affected


Project: validatorjs/validator.js
Tested version: 13.15.35