Description
A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fence_environment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes directly on the string, resulting in substring matching instead of membership checks against an array.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.16.1
References
Related Issues
- @perfood/couch-auth has a host header injection vulnerability - CVE-2025-70948
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - lodash.unset - CVE-2025-13465
- Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - lodash-es - CVE-2025-13465
You might also like:
- Tags:
- npm
- @digitalocean/do-markdownit
Anything's wrong? Let us know Last updated on September 22, 2025