CVE-2026-48988

Name of the Vulnerable Software and Affected Versions markdown-it (affected versions not specified)

Description A quadratic time complexity issue exists in the smartquotes rule when the typographer: true option is enabled. An attacker can provide markdown input containing a large number of consecutive quotation marks, causing the parser to consume excessive CPU resources and leading to a denial of service. This occurs because the replaceAt() function in lib/rules core/smartquotes.mjs modifies the token.content using string slicing and concatenation for every quote character found. Since each slice operation is O(n) and is performed for each of the n quotes, the overall complexity becomes O(n^2).

Recommendations As a temporary workaround, consider disabling the typographer option by setting it to false to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.