Your message dated Sun, 28 Jun 2026 15:22:59 +0000
with message-id <[email protected]>
and subject line Bug#1140349: fixed in node-markdown-it 22.2.3+dfsg+~12.2.3-5
has caused the Debian Bug report #1140349,
regarding node-markdown-it: CVE-2026-48988
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1140349: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140349
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-markdown-it
Version: 22.2.3+dfsg+~12.2.3-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-markdown-it.
CVE-2026-48988[0]:
| markdown-it is a Markdown parser. Versions 14.1.1 and below contain
| a denial-of-service vulnerability when typographer: true is enabled,
| due to quadratic (O(n^2)) processing in the smartquotes rule. The
| issue stems from repeatedly modifying strings with replaceAt(),
| which performs O(n) slicing and concatenation per quote character.
| This can cause excessive CPU consumption when parsing quote-heavy,
| user-supplied markdown and may let attackers degrade or disrupt
| service availability. Although typographer is disabled by default,
| many production apps enable it for smart typography, making the
| issue relevant. This issue has been fixed in version 14.2.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-48988
https://www.cve.org/CVERecord?id=CVE-2026-48988
[1]
https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq
[2]
https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-markdown-it
Source-Version: 22.2.3+dfsg+~12.2.3-5
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-markdown-it, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-markdown-it package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 Jun 2026 17:02:49 +0200
Source: node-markdown-it
Architecture: source
Version: 22.2.3+dfsg+~12.2.3-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1140349
Changes:
node-markdown-it (22.2.3+dfsg+~12.2.3-5) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debia/watch version 5
* Fix smartquotes perfomance (Closes: #1140349, CVE-2026-48988)
Checksums-Sha1:
c0674c0095145a6b8a931ac3a17b97d0895a8fb0 4417
node-markdown-it_22.2.3+dfsg+~12.2.3-5.dsc
1a69060897f97bfeacf50ce6699aab6dc7808ad5 22132
node-markdown-it_22.2.3+dfsg+~12.2.3-5.debian.tar.xz
Checksums-Sha256:
4e96dabe3138abf9aaaca9c65d826bbcdde80febcc7abb378e8604b9942bee15 4417
node-markdown-it_22.2.3+dfsg+~12.2.3-5.dsc
fd36645bb3968832d7bb7925b10a903413c50c4da1895ff5c444201763b7f4b2 22132
node-markdown-it_22.2.3+dfsg+~12.2.3-5.debian.tar.xz
Files:
6ee23b2ffe433a869448df86507e5401 4417 javascript optional
node-markdown-it_22.2.3+dfsg+~12.2.3-5.dsc
9b88c7fcc66c5450111f8c0011a9f7f9 22132 javascript optional
node-markdown-it_22.2.3+dfsg+~12.2.3-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmpBN9gACgkQ9tdMp8mZ
7untoQ//S0bIsekbeqTf/5HU6M2rH5uhI5cex94yriuIQqomww9YGEM3K75n8+gE
cfCbDc+Jxqfi+aOvEdbozttE3oSxGm/oYe6+ZRZiz+uPYfIYuqle/wljE/Nhh97g
gS2WLeDcWwHcfwndeonbjwDqdpowN1unrfEH7YZEBXylX11y21oOf8najZe5s1/S
6skS8Qb87W8Omxw/AygpDaQ0qJt5IPEYQ0eIWQoB+JebePV/ENjtvt2WuERT+nQY
VE1gsOmmtosCEntO53LzwG2S13JrKm27KF1E/74j7XEJumvjMVG0kPCRzN6hShH2
0oJT9xryWfbh1knzt+Vj5tRdL2ql2Fq18uSymVUSQa+v4bppC9b7uuOZom4JObbA
WTYztS0g+1glfweOEX+oyYWXBF+mNEVmx8RkBwqgbnpS8EUhSh67gAXqTxw4spjN
MXNzjxKyRF/xNTcTo1YE+MuD+zeJ59vEgVAlILpj5NLXDPfEdp4+GJxjZdAJPeuJ
NpDw3uF0V1GIuxyJvY8Acbcn9v1QEe8ZSS+2XSRmbd3cdb7UsvrMQC17o+5tjkd8
E6J49Sd3efuvT5IMYO3DSQyakzuUw9z6S6oDBj4ajc/w2As+7UE8DWaE1Auehrsv
zftmOr1aiMDNW3WvekvWQ5orysrbVQ5B1XYnxRJbsMKmGq3agSk=
=YvBy
-----END PGP SIGNATURE-----
pgp6vsDolWRHp.pgp
Description: PGP signature
--- End Message ---