[GH-ISSUE #478] Security concern in v0.25.0 due to markdown-it dependency #2239

New issue

Closed

opened 2026-03-07 20:05:53 +03:00 by kerem · 2 comments

kerem commented

2026-03-07 20:05:53 +03:00

Owner

Originally created by @ericcornelissen on GitHub (Jan 11, 2022).
Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/478

Hi markdownlint maintainers and community 👋

I want to raise a security vulnerability (concern?¹) for the community in the latest published version (markdownlint@v0.25.0) related to markdown-it.

References:

Since markdown-it is pinned at 12.3.0 it is not possible for users of markdownlint to upgrade to the latest version of markdown-it, 12.3.2 that contains a fix. From this perspective allowing a range of versions, e.g ^12.3.0, for (non-dev) dependencies would be beneficial to users.

Thank you in advance!

I'd classify the vulnerability as low risk for markdownlint since, presumably, in most instances users will have full control over the MarkDown they're going to lint. However, I don't think that discredits the issue entirely. ↩︎

Originally created by @ericcornelissen on GitHub (Jan 11, 2022). Original GitHub issue: https://github.com/DavidAnson/markdownlint/issues/478 Hi markdownlint maintainers and community :wave: I want to raise a security vulnerability (concern?[^1]) for the community in the latest published version (`markdownlint@v0.25.0`) related to [`markdown-it`](https://github.com/DavidAnson/markdownlint/blob/02707cf2702127f928e99919127ef703abf03f65/package.json#L50). References: - [SNYK-JS-MARKDOWNIT-2331914](https://security.snyk.io/vuln/SNYK-JS-MARKDOWNIT-2331914) - [GHSA-6vfc-qv3f-vr6c](https://github.com/advisories/GHSA-6vfc-qv3f-vr6c) - [CVE-2022-21670](https://nvd.nist.gov/vuln/detail/CVE-2022-21670) - https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101 Since `markdown-it` is pinned at `12.3.0` it is not possible for users of `markdownlint` to upgrade to the latest version of `markdown-it`, `12.3.2` that contains a fix. From this perspective allowing a range of versions, e.g `^12.3.0`, for (non-dev) dependencies would be beneficial to users. Thank you in advance! [^1]: I'd classify the vulnerability as low risk for markdownlint since, presumably, in most instances users will have full control over the MarkDown they're going to lint. However, I don't think that discredits the issue entirely.

kerem

2026-03-07 20:05:53 +03:00

closed this issue
added the
bug

fixed in next
labels

kerem commented

2026-03-07 20:05:55 +03:00

Author

Owner

@DavidAnson commented on GitHub (Jan 12, 2022):

I agree with your assessment of this as being low risk, especially as denial of service attacks are more of a nuisance than a security threat. That said, it's easy enough to update and I will do so soon.

@DavidAnson commented on GitHub (Jan 12, 2022): I agree with your assessment of this as being low risk, especially as denial of service attacks are more of a nuisance than a security threat. That said, it's easy enough to update and I will do so soon.

kerem commented

2026-03-07 20:05:55 +03:00

Author

Owner

@ericcornelissen commented on GitHub (Jan 13, 2022):

Small update, the issue now has an official CVE. I updated the issue description accordingly.

Because it now has a CVE it'll show up in the npm audit output and automation tools like Dependabot will start flagging it as well.

@ericcornelissen commented on GitHub (Jan 13, 2022): Small update, the issue now has an official CVE. I updated the issue description accordingly. Because it now has a CVE it'll show up in the `npm audit` output and automation tools like Dependabot will start flagging it as well.