GHSA-2H8J-8R9P-849F

Vulnerability from github – Published: 2025-09-19 06:31 – Updated: 2025-09-22 22:55
VLAI?
Summary
@digitalocean/do-markdownit has Type Confusion vulnerability
Details

Overview

A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fence_environment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes directly on the string, resulting in substring matching instead of membership checks against an array.

Affected Versions

All versions up to and including 1.16.1 (npm).

Impact

Supplying crafted input can bypass intended allow-lists (e.g., class/environment constraints) due to substring checks, which may enable rendering of unintended classes or environments and lead to policy bypass in downstream consumers.

Mitigation

Until an upstream fix is released, ensure configuration normalization before invoking the plugins: - Validate that allowedClasses and allowedEnvironments are arrays (Array.isArray(...)), converting single strings into one-element arrays when necessary. - Consider sanitizing or strictly validating user-controlled values that influence Markdown rendering.

Severity ?
5.4 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@digitalocean/do-markdownit"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59717"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-843"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-19T17:15:44Z",
    "nvd_published_at": "2025-09-19T04:16:49Z",
    "severity": "MODERATE"
  },
  "details": "### Overview\nA type confusion issue exists in the `@digitalocean/do-markdownit` package. In the `callout` and `fence_environment` plugins, the `allowedClasses` and `allowedEnvironments` options are expected to be arrays of strings. If these options are provided as a single string, the code applies `.includes` directly on the string, resulting in substring matching instead of membership checks against an array.\n\n### Affected Versions\nAll versions up to and including 1.16.1 (npm).\n\n### Impact\nSupplying crafted input can bypass intended allow-lists (e.g., class/environment constraints) due to substring checks, which may enable rendering of unintended classes or environments and lead to policy bypass in downstream consumers.\n\n### Mitigation\nUntil an upstream fix is released, ensure configuration normalization before invoking the plugins:\n- Validate that `allowedClasses` and `allowedEnvironments` are arrays (`Array.isArray(...)`), converting single strings into one-element arrays when necessary.\n- Consider sanitizing or strictly validating user-controlled values that influence Markdown rendering.",
  "id": "GHSA-2h8j-8r9p-849f",
  "modified": "2025-09-22T22:55:37Z",
  "published": "2025-09-19T06:31:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59717"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/thesmartshadow/dd19665f1f51a4e3c7a766e70c9eafd0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/digitalocean/do-markdownit"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/@digitalocean/do-markdownit"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "@digitalocean/do-markdownit has Type Confusion vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.