CVE-2026-48988

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5
https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq
https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq

Configurations

No configuration.

History

18 Jun 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-17 21:16

Updated : 2026-06-18 20:16

NVD link : CVE-2026-48988

Mitre link : CVE-2026-48988

CVE.ORG link : CVE-2026-48988

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

{"id": "CVE-2026-48988", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-48988", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-18T19:41:23.675536Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "markdown-it", "product": "markdown-it", "versions": [{"status": "affected", "version": "< 14.2.0"}]}]}], "published": "2026-06-17T21:16:23.563", "references": [{"url": "https://github.com/markdown-it/markdown-it/commit/9ce2087562c45d1e5ddd9f76b990f4b3fbe040e5", "source": "security-advisories@github.com"}, {"url": "https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq", "source": "security-advisories@github.com"}, {"url": "https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0."}], "lastModified": "2026-06-18T20:16:14.967", "sourceIdentifier": "security-advisories@github.com"}