CVE-2026-48988 markdown-it CVE debrief

Who should care

Developers and administrators using markdown-it with typographer enabled should be aware of this denial-of-service vulnerability. This includes those who use markdown-it in production applications for smart typography.

Technical summary

The markdown-it library, used for parsing Markdown, has a denial-of-service vulnerability when the typographer option is set to true. This is due to the smartquotes rule processing quotes in a way that results in quadratic time complexity (O(n^2)). The issue arises from the use of replaceAt() on strings, which performs slicing and concatenation for each quote character. This can lead to excessive CPU usage when parsing Markdown content that contains many quotes. The vulnerability has been addressed in markdown-it version 14.2.0.

Defensive priority

Medium

Recommended defensive actions

• Update markdown-it to version 14.2.0 or later
• Disable typographer if not required for smart typography
• Implement input validation and sanitization for user-supplied Markdown
• Monitor CPU usage and performance of Markdown parsing
• Consider using alternative Markdown parsers
• Review and adjust application configurations for markdown-it

Evidence notes

The vulnerability details are based on information from the CVE record and the markdown-it GitHub repository. The CVE record provides an overview of the issue, while the GitHub repository contains the fix and additional technical details.

Official resources