CVE-2026-48988
Analyzed Analyzed - Analysis Complete

Denial-of-Service in markdown-it via Quadratic Processing in Smartquotes

Vulnerability report for CVE-2026-48988, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description

markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-24
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
markdown-it_project markdown-it to 14.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in markdown-it, a Markdown parser, in versions 14.1.1 and below when the typographer feature is enabled. It is a denial-of-service issue caused by quadratic (O(n^2)) processing in the smartquotes rule. The problem arises because the code repeatedly modifies strings using replaceAt(), which involves O(n) slicing and concatenation for each quote character. This inefficient processing can lead to excessive CPU usage when parsing markdown content that contains many quotes, especially if the markdown is user-supplied.

Although the typographer feature is disabled by default, many production applications enable it for enhanced typography, making this vulnerability relevant in real-world scenarios. The issue has been fixed in version 14.2.0.

Impact Analysis

This vulnerability can impact you by allowing attackers to cause a denial-of-service (DoS) condition. Specifically, by submitting markdown content with many quote characters, an attacker can trigger excessive CPU consumption due to the inefficient processing in the smartquotes rule. This can degrade or disrupt the availability of services that use markdown-it with the typographer feature enabled.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade markdown-it to version 14.2.0 or later, where the issue has been fixed.

Additionally, if upgrading is not immediately possible, consider disabling the typographer option (which is disabled by default) to prevent the vulnerable smartquotes rule from being triggered.

Compliance Impact

This vulnerability causes a denial-of-service condition by allowing excessive CPU consumption when processing quote-heavy, user-supplied markdown with the typographer option enabled. While it impacts service availability, there is no direct information linking this vulnerability to breaches of data confidentiality or integrity.

Since the vulnerability primarily affects availability and does not involve unauthorized data access or disclosure, its impact on compliance with standards like GDPR or HIPAAβ€”which focus heavily on data privacy and protectionβ€”is indirect and depends on the context of use.

Organizations relying on markdown-it with typographer enabled should consider the risk of service disruption as part of their availability controls, which may be relevant for compliance frameworks that require maintaining service uptime and availability.

Detection Guidance

This vulnerability occurs in markdown-it versions 14.1.1 and below when the typographer option is enabled, causing excessive CPU consumption due to quadratic processing in the smartquotes rule.

To detect if your system is affected, first verify the version of markdown-it in use and whether the typographer option is enabled.

  • Check the installed markdown-it version, for example by running: npm list markdown-it
  • Inspect your application configuration or code to see if the typographer option is set to true when initializing markdown-it.

Monitoring CPU usage during markdown parsing of quote-heavy user input may also help identify if the vulnerability is being triggered.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48988. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart