Source: node-markdown-it Version: 22.2.3+dfsg+~12.2.3-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-markdown-it. CVE-2026-48988[0]: | markdown-it is a Markdown parser. Versions 14.1.1 and below contain | a denial-of-service vulnerability when typographer: true is enabled, | due to quadratic (O(n^2)) processing in the smartquotes rule. The | issue stems from repeatedly modifying strings with replaceAt(), | which performs O(n) slicing and concatenation per quote character. | This can cause excessive CPU consumption when parsing quote-heavy, | user-supplied markdown and may let attackers degrade or disrupt | service availability. Although typographer is disabled by default, | many production apps enable it for smart typography, making the | issue relevant. This issue has been fixed in version 14.2.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-48988 https://www.cve.org/CVERecord?id=CVE-2026-48988 [1] https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq [2] https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
