CVE-2026-48988
Received Received - Intake
Denial-of-Service in markdown-it via Quadratic Processing in Smartquotes

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-48988
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
markdown-it markdown-it to 14.2.0 (exc)
markdown-it markdown-it 14.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in markdown-it, a Markdown parser, in versions 14.1.1 and below when the typographer feature is enabled. It is a denial-of-service issue caused by quadratic (O(n^2)) processing in the smartquotes rule. The problem arises because the code repeatedly modifies strings using replaceAt(), which involves O(n) slicing and concatenation for each quote character. This inefficient processing can lead to excessive CPU usage when parsing markdown content that contains many quotes, especially if the markdown is user-supplied.

Although the typographer feature is disabled by default, many production applications enable it for enhanced typography, making this vulnerability relevant in real-world scenarios. The issue has been fixed in version 14.2.0.

Impact Analysis

This vulnerability can impact you by allowing attackers to cause a denial-of-service (DoS) condition. Specifically, by submitting markdown content with many quote characters, an attacker can trigger excessive CPU consumption due to the inefficient processing in the smartquotes rule. This can degrade or disrupt the availability of services that use markdown-it with the typographer feature enabled.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade markdown-it to version 14.2.0 or later, where the issue has been fixed.

Additionally, if upgrading is not immediately possible, consider disabling the typographer option (which is disabled by default) to prevent the vulnerable smartquotes rule from being triggered.

Compliance Impact

This vulnerability causes a denial-of-service condition by allowing excessive CPU consumption when processing quote-heavy, user-supplied markdown with the typographer option enabled. While it impacts service availability, there is no direct information linking this vulnerability to breaches of data confidentiality or integrity.

Since the vulnerability primarily affects availability and does not involve unauthorized data access or disclosure, its impact on compliance with standards like GDPR or HIPAAβ€”which focus heavily on data privacy and protectionβ€”is indirect and depends on the context of use.

Organizations relying on markdown-it with typographer enabled should consider the risk of service disruption as part of their availability controls, which may be relevant for compliance frameworks that require maintaining service uptime and availability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48988. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart