ghsa-2h8j-8r9p-849f
Vulnerability from github
Overview
A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fence_environment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes directly on the string, resulting in substring matching instead of membership checks against an array.
Affected Versions
All versions up to and including 1.16.1 (npm).
Impact
Supplying crafted input can bypass intended allow-lists (e.g., class/environment constraints) due to substring checks, which may enable rendering of unintended classes or environments and lead to policy bypass in downstream consumers.
Mitigation
Until an upstream fix is released, ensure configuration normalization before invoking the plugins:
- Validate that allowedClasses and allowedEnvironments are arrays (Array.isArray(...)), converting single strings into one-element arrays when necessary.
- Consider sanitizing or strictly validating user-controlled values that influence Markdown rendering.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@digitalocean/do-markdownit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.16.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59717"
],
"database_specific": {
"cwe_ids": [
"CWE-843"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-19T17:15:44Z",
"nvd_published_at": "2025-09-19T04:16:49Z",
"severity": "MODERATE"
},
"details": "### Overview\nA type confusion issue exists in the `@digitalocean/do-markdownit` package. In the `callout` and `fence_environment` plugins, the `allowedClasses` and `allowedEnvironments` options are expected to be arrays of strings. If these options are provided as a single string, the code applies `.includes` directly on the string, resulting in substring matching instead of membership checks against an array.\n\n### Affected Versions\nAll versions up to and including 1.16.1 (npm).\n\n### Impact\nSupplying crafted input can bypass intended allow-lists (e.g., class/environment constraints) due to substring checks, which may enable rendering of unintended classes or environments and lead to policy bypass in downstream consumers.\n\n### Mitigation\nUntil an upstream fix is released, ensure configuration normalization before invoking the plugins:\n- Validate that `allowedClasses` and `allowedEnvironments` are arrays (`Array.isArray(...)`), converting single strings into one-element arrays when necessary.\n- Consider sanitizing or strictly validating user-controlled values that influence Markdown rendering.",
"id": "GHSA-2h8j-8r9p-849f",
"modified": "2025-09-22T22:55:37Z",
"published": "2025-09-19T06:31:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59717"
},
{
"type": "WEB",
"url": "https://gist.github.com/thesmartshadow/dd19665f1f51a4e3c7a766e70c9eafd0"
},
{
"type": "PACKAGE",
"url": "https://github.com/digitalocean/do-markdownit"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/package/@digitalocean/do-markdownit"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "@digitalocean/do-markdownit has Type Confusion vulnerability"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.