CVE-2025-59717: 
JavaScript vulnerability analysis and mitigation

In the @digitalocean/do-markdownit package through 1.16.1 (in npm), a Type Confusion vulnerability exists where the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is provided as a string instead of an array. This vulnerability was assigned CVE-2025-59717 and was disclosed on September 19, 2025 (NVD, Miggo).

The vulnerability stems from a type confusion issue in two plugins: callout and fence_environment. When these plugins are configured with allowedClasses or allowedEnvironments as strings instead of arrays, they use JavaScript's String.prototype.includes() method for validation. This performs a substring search rather than the intended exact match comparison that would occur with an array. For example, if allowedClasses is set to 'admin,info', an attacker can use the class 'in' which would pass validation as it's a substring of the allowed classes string (GitHub PoC). The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) (Miggo).

The vulnerability allows attackers to bypass access controls by using substrings of allowed classes or environments. This can lead to unauthorized styling or access to restricted environments in applications using the affected package. For example, an attacker could gain access to production environments by using 'pro' as a substring of 'production' in the environment settings (GitHub PoC).

The vulnerability affects @digitalocean/do-markdownit package versions through 1.16.1. Users should ensure that allowedClasses and allowedEnvironments are always configured as arrays rather than strings when using the callout and fence_environment plugins (Miggo).