CVE-2025-59717
BaseFortify
Publication date: 2025-09-19
Last updated on: 2025-10-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| digitalocean | do-markdownit | to 1.16.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-Other | |
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the @digitalocean/do-markdownit package through version 1.16.1. The issue is that the callout and fence_environment plugins perform substring matching using the .includes method when allowedClasses or allowedEnvironments is a string instead of an array. This can lead to unintended matches and potentially incorrect behavior in how classes or environments are validated or processed.
How can this vulnerability impact me? :
The vulnerability can impact you by causing the callout and fence_environment plugins to incorrectly validate or process allowed classes or environments due to substring matching. This may lead to security issues such as improper content rendering or injection of unintended classes or environments, potentially affecting the integrity and security of the markdown processing.