CVE-2025-59717
5.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| DigitalOcean | @digitalocean/do-markdownit | 0 <= 1.16.1 | affected |
Weaknesses
- CWE-843: CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/digitalocean/do-markdownit
- https://gist.github.com/thesmartshadow/dd19665f1f51a4e3c7a766e70c9eafd0
- https://www.npmjs.com/package/@digitalocean/do-markdownit
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.