mbostock
commented
3 years ago Marked only runs within the notebook sandbox, running on Markdown input that the notebook author wrote; therefore, there should not be a risk of attack. We do plan on upgrading our Markdown template literal in the nearish future, perhaps switching to a stricter CommonMark variant, but this depends on implementing versioning for our standard library so as to not break existing notebooks.
WS-2019-0027 More information moderate severity Vulnerable versions: < 0.3.18 Patched version: 0.3.18 Versions 0.3.17 and earlier of marked has Four regexes were vulnerable to catastrophic backtracking. This leaves markdown servers open to a potential REDOS attack.
https://github.com/observablehq/stdlib/blob/4867f8f2ac8236f1fa42cbb1a70cc72e59c52d31/src/md.js#L8