CVE-2026-48988: markdown-it: Quadratic complexity DoS in smartquotes rule via replaceAt string operations

June 15, 2026

A quadratic time complexity vulnerability exists in markdown-it’s smartquotes rule (enabled via the typographer: true option). An attacker can craft a markdown input consisting of consecutive quotation marks that causes the parser to consume excessive CPU time, leading to denial of service.

References

github.com/advisories/GHSA-6v5v-wf23-fmfq
github.com/markdown-it/markdown-it/security/advisories/GHSA-6v5v-wf23-fmfq
nvd.nist.gov/vuln/detail/CVE-2026-48988

Code Behaviors & Features

Detect and mitigate CVE-2026-48988 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →