Listen to this Post
The vulnerability arises within the callout and fence_environment plugins when the configuration options `allowedClasses` or `allowedEnvironments` are supplied as strings instead of the expected array type. The code performs a `.includes` substring check on the provided string input. This type confusion between an array and a string allows an attacker to bypass input sanitization. For instance, a malicious class name containing an allowed substring (e.g., ‘active’ within ‘deactivate’) would be incorrectly permitted, leading to potential cross-site scripting (XSS) if the output is rendered without further sanitization.
Platform: npm
Version: through 1.16.1
Vulnerability : Type Confusion
Severity: Moderate
date: 2025-09-19
Prediction: Patch by 2025-09-26
What Undercode Say:
npm audit npm list @digitalocean/do-markdownit
// Example of vulnerable configuration
const md = require('@digitalocean/do-markdownit');
md.use(require('@digitalocean/do-markdownit/plugins/callout'), { allowedClasses: 'active' }); // String is vulnerable
How Exploit:
Malicious markdown content with crafted class names bypasses sanitization filters.
Protection from this CVE:
Upgrade package version. Ensure configuration options use arrays.
Impact:
Cross-Site Scripting (XSS)
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

