Description
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.
Published: 2026-06-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

markdown-it is a popular Markdown parser. Versions 14.1.1 and earlier contain a denial‑of‑service weakness when the typographer option is enabled. The smartquotes rule uses replaceAt() to insert quotes, performing O(n) operations per quote. When many quote characters appear, the overall complexity grows quadratically, starving the process of CPU and allowing an attacker to exhaust resources by submitting quote‑heavy Markdown. This can degrade or disrupt the service that hosts or renders the Markdown.

Affected Systems

The affected product is markdown‑it by markdown‑it, specifically all releases at 14.1.1 or earlier. The vulnerability is present only when typographer:true is activated, a setting that is off by default but is often enabled in production systems for better typographic output. The fix is available in 14.2.0 and later releases.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is below 1 % and the issue is not on the CISA KEV list, implying it is unlikely to see widespread exploitation. Nevertheless, the attack can be carried out by providing malicious Markdown input containing many “smart‑quote” characters to a vulnerable parser. Because the issue relies on CPU consumption, the impact is limited to availability and does not expose confidentiality or integrity.

Generated by OpenCVE AI on June 18, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade markdown‑it to version 14.2.0 or newer.
  • If an upgrade is not immediately possible, disable the typographer option for any parsing that may receive untrusted content.
  • Implement input validation or rate limiting to restrict the length or complexity of Markdown that is processed, reducing the chance of excessive CPU usage.

Generated by OpenCVE AI on June 18, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6v5v-wf23-fmfq markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
History

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Markdown-it
Markdown-it markdown-it
Vendors & Products Markdown-it
Markdown-it markdown-it

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description markdown-it is a Markdown parser. Versions 14.1.1 and below contain a denial-of-service vulnerability when typographer: true is enabled, due to quadratic (O(n^2)) processing in the smartquotes rule. The issue stems from repeatedly modifying strings with replaceAt(), which performs O(n) slicing and concatenation per quote character. This can cause excessive CPU consumption when parsing quote-heavy, user-supplied markdown and may let attackers degrade or disrupt service availability. Although typographer is disabled by default, many production apps enable it for smart typography, making the issue relevant. This issue has been fixed in version 14.2.0.
Title markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Markdown-it Markdown-it
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T19:41:43.861Z

Reserved: 2026-05-26T23:26:07.975Z

Link: CVE-2026-48988

cve-icon Vulnrichment

Updated: 2026-06-18T19:40:35.229Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:30:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption