Pin markdown-it to 14.2.0 to remediate GHSA-6v5v-wf23-fmfq (CVE-2026-48988)#2016
Closed
mikeharder with Copilot wants to merge 2 commits into
Closed
Pin markdown-it to 14.2.0 to remediate GHSA-6v5v-wf23-fmfq (CVE-2026-48988)#2016mikeharder with Copilot wants to merge 2 commits into
mikeharder with Copilot wants to merge 2 commits into
Conversation
Copilot
AI
changed the title
[WIP] Fix quadratic complexity DoS in markdown-it smartquotes rule
Pin markdown-it to 14.2.0 to remediate GHSA-6v5v-wf23-fmfq (CVE-2026-48988)
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
markdown-it@14.1.1is vulnerable to quadratic-time DoS in the smartquotes rule whentypographer: trueis used. This repo resolved that vulnerable version transitively, so Dependabot could not auto-remediate without an explicit workspace-level constraint.Dependency remediation
pnpm-workspace.yamlto forcemarkdown-itto14.2.0(lowest patched version).pnpm-lock.yamlvia pnpm so all resolutions now point tomarkdown-it@14.2.0.Resolution path addressed
@typespec/tspd -> typedoc -> markdown-it.Reachability Assessment
markdown-itusage ortypographer: trueconfiguration in source paths; usage is transitive in tooling/docs generation dependency graph.Original prompt
This section details the Dependabot vulnerability alert you should resolve
<alert_title>markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations</alert_title>
<alert_description>### Summary
A quadratic time complexity vulnerability exists in markdown-it's smartquotes rule (enabled via the
typographer: trueoption). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, leading to denial of service.Details
The vulnerability is in the
replaceAt()helper function used by the smartquotes rule inlib/rules_core/smartquotes.mjs:When markdown-it processes a text token containing many quotation marks (either
"or') withtypographer: true, the smartquotes rule iterates through each quote character and callsreplaceAt()to substitute it with a typographic (curly) quote. Each call toreplaceAt()creates three new string slices and concatenates them, which is an O(n) operation where n is the length of the string.Since this is called once per quote character in the token, and there are n quote characters, the total time complexity becomes O(n^2).
The root cause is that the smartquotes rule modifies
token.contentin place using string slicing rather than building the result incrementally. Theprocess_inlines()function (line 14) processes each quote in the text token, and for matching quote pairs, callsreplaceAt()on both the opening and closing token's content (lines 151-152). When the entire input is a single text token of quote characters, this results in quadratic behavior.PoC
Measured timing on a modern system:
The scaling is clearly superlinear (quadratic), with the 80K->160K step showing a ~3.9x increase for a 2x input increase, consistent with O(n^2).
Impact
Applications that render user-supplied markdown with
typographer: trueare vulnerable to denial of service. An attacker can submit a relatively small payload (160KB of quote characters) that causes the server to spend over 21 seconds processing a single request. Repeated submissions can exhaust server CPU resources and prevent legitimate users from being served.The impact is mitigated by the fact that the
typographeroption defaults tofalseand must be explicitly enabled. However, the typographer feature is commonly enabled in production applications that want smart typography, and the markdown-it documentation prominently suggests enabling it.A suggested fix would be to replace the
replaceAt()approach with an array-based or StringBuilder-style approach that collects all replacements and applies them in a single pass, reducing the time complexity to O(n).</alert_description>moderate
https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq https://github.com/advisories/GHSA-6v5v-wf23-fmfqGHSA-6v5v-wf23-fmfq, CVE-2026-48988
markdown-it
npm
<vulnerable_versions>14.1.1</vulnerable_versions>
<patched_version>14.2.0</patched_version>
<manifest_path>pnpm-lock.yaml</manifest_path>
<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachabili...