- Package:
- src:node-markdown-it
- Source:
- src:node-markdown-it
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-28 15:25:02 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for node-markdown-it. CVE-2026-48988[0]: | markdown-it is a Markdown parser. Versions 14.1.1 and below contain | a denial-of-service vulnerability when typographer: true is enabled, | due to quadratic (O(n^2)) processing in the smartquotes rule. The | issue stems from repeatedly modifying strings with replaceAt(), | which performs O(n) slicing and concatenation per quote character. | This can cause excessive CPU consumption when parsing quote-heavy, | user-supplied markdown and may let attackers degrade or disrupt | service availability. Although typographer is disabled by default, | many production apps enable it for smart typography, making the | issue relevant. This issue has been fixed in version 14.2.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48988 https://www.cve.org/CVERecord?id=CVE-2026-48988 [1] https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq [2] https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
We believe that the bug you reported is fixed in the latest version of node-markdown-it, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1140349@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated node-markdown-it package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Sun, 28 Jun 2026 17:02:49 +0200 Source: node-markdown-it Architecture: source Version: 22.2.3+dfsg+~12.2.3-5 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 1140349 Changes: node-markdown-it (22.2.3+dfsg+~12.2.3-5) unstable; urgency=medium . * Team upload * Declare compliance with policy 4.7.4 * Drop "Rules-Requires-Root: no" * Drop "Priority: optional" * debia/watch version 5 * Fix smartquotes perfomance (Closes: #1140349, CVE-2026-48988) Checksums-Sha1: c0674c0095145a6b8a931ac3a17b97d0895a8fb0 4417 node-markdown-it_22.2.3+dfsg+~12.2.3-5.dsc 1a69060897f97bfeacf50ce6699aab6dc7808ad5 22132 node-markdown-it_22.2.3+dfsg+~12.2.3-5.debian.tar.xz Checksums-Sha256: 4e96dabe3138abf9aaaca9c65d826bbcdde80febcc7abb378e8604b9942bee15 4417 node-markdown-it_22.2.3+dfsg+~12.2.3-5.dsc fd36645bb3968832d7bb7925b10a903413c50c4da1895ff5c444201763b7f4b2 22132 node-markdown-it_22.2.3+dfsg+~12.2.3-5.debian.tar.xz Files: 6ee23b2ffe433a869448df86507e5401 4417 javascript optional node-markdown-it_22.2.3+dfsg+~12.2.3-5.dsc 9b88c7fcc66c5450111f8c0011a9f7f9 22132 javascript optional node-markdown-it_22.2.3+dfsg+~12.2.3-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmpBN9gACgkQ9tdMp8mZ 7untoQ//S0bIsekbeqTf/5HU6M2rH5uhI5cex94yriuIQqomww9YGEM3K75n8+gE cfCbDc+Jxqfi+aOvEdbozttE3oSxGm/oYe6+ZRZiz+uPYfIYuqle/wljE/Nhh97g gS2WLeDcWwHcfwndeonbjwDqdpowN1unrfEH7YZEBXylX11y21oOf8najZe5s1/S 6skS8Qb87W8Omxw/AygpDaQ0qJt5IPEYQ0eIWQoB+JebePV/ENjtvt2WuERT+nQY VE1gsOmmtosCEntO53LzwG2S13JrKm27KF1E/74j7XEJumvjMVG0kPCRzN6hShH2 0oJT9xryWfbh1knzt+Vj5tRdL2ql2Fq18uSymVUSQa+v4bppC9b7uuOZom4JObbA WTYztS0g+1glfweOEX+oyYWXBF+mNEVmx8RkBwqgbnpS8EUhSh67gAXqTxw4spjN MXNzjxKyRF/xNTcTo1YE+MuD+zeJ59vEgVAlILpj5NLXDPfEdp4+GJxjZdAJPeuJ NpDw3uF0V1GIuxyJvY8Acbcn9v1QEe8ZSS+2XSRmbd3cdb7UsvrMQC17o+5tjkd8 E6J49Sd3efuvT5IMYO3DSQyakzuUw9z6S6oDBj4ajc/w2As+7UE8DWaE1Auehrsv zftmOr1aiMDNW3WvekvWQ5orysrbVQ5B1XYnxRJbsMKmGq3agSk= =YvBy -----END PGP SIGNATURE-----