Description
A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fence_environment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes directly on the string, resulting in substring matching instead of membership checks against an array.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.16.1
References
Related Issues
- useragent Regular Expression Denial of Service vulnerability - CVE-2020-26311
- axios Inefficient Regular Expression Complexity vulnerability - CVE-2021-3749
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Vite's `server.fs.deny` is bypassed when using `?import&raw` - CVE-2024-45811
- Tags:
- npm
- @digitalocean/do-markdownit
Anything's wrong? Let us know Last updated on September 22, 2025