Description
A type confusion issue exists in the @digitalocean/do-markdownit package. In the callout and fence_environment plugins, the allowedClasses and allowedEnvironments options are expected to be arrays of strings. If these options are provided as a single string, the code applies .includes directly on the string, resulting in substring matching instead of membership checks against an array.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.16.1
References
Related Issues
- Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint - CVE-2025-65019
- validator.js has a URL validation bypass vulnerability in its isURL function - CVE-2025-56200
- Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables - CVE-2025-68115
- HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
- Tags:
- npm
- @digitalocean/do-markdownit
Anything's wrong? Let us know Last updated on September 22, 2025