Substring Matching Vulnerability in @digitalocean/do-markdownit Package
CVE-2025-59717

5.4MEDIUM

Key Information:

Vendor

Digitalocean

Status
@digitalocean/do-markdownit
Vendor
CVE Published:
19 September 2025

What is CVE-2025-59717?

The @digitalocean/do-markdownit package, versions up to 1.16.1, experiences a vulnerability due to improper handling of input in the callout and fence_environment plugins. When allowedClasses or allowedEnvironments are set as strings instead of arrays, these plugins perform substring matching, which could lead to unintended behavior and potential security risks. This flaw underscores the necessity of proper input validation to mitigate the risk of exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

@digitalocean/do-markdownit 0 <= 1.16.1

References

https://github.com/digitalocean/do-markdownit
https://gist.github.com/thesmartshadow/dd19665f1f51a4e3c7...
https://www.npmjs.com/package/@digitalocean/do-markdownit

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.