@digitalocean/do-markdownit, Type Confusion, CVE-2025-47109 (Moderate)

Listen to this Post

The vulnerability arises within the callout and fence_environment plugins when the configuration options `allowedClasses` or `allowedEnvironments` are supplied as strings instead of the expected array type. The code performs a `.includes` substring check on the provided string input. This type confusion between an array and a string allows an attacker to bypass input sanitization. For instance, a malicious class name containing an allowed substring (e.g., ‘active’ within ‘deactivate’) would be incorrectly permitted, leading to potential cross-site scripting (XSS) if the output is rendered without further sanitization.
Platform: npm
Version: through 1.16.1

Vulnerability : Type Confusion

Severity: Moderate

date: 2025-09-19

Prediction: Patch by 2025-09-26

What Undercode Say:

npm audit
npm list @digitalocean/do-markdownit
// Example of vulnerable configuration
const md = require('@digitalocean/do-markdownit');
md.use(require('@digitalocean/do-markdownit/plugins/callout'), { allowedClasses: 'active' }); // String is vulnerable

How Exploit:

Malicious markdown content with crafted class names bypasses sanitization filters.

Protection from this CVE:

Upgrade package version. Ensure configuration options use arrays.

Impact:

Cross-Site Scripting (XSS)

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top