Skip to main content

mistune CVE-2026-33079

| EUVDEUVD-2026-27877 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-06 https://github.com/lepture/mistune GHSA-8mp2-v27r-99xp
8.7
CVSS 4.0 · Vendor: https://github.com/lepture/mistune
Share

Severity by source

Vendor (https://github.com/lepture/mistune) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/lepture/mistune).

CVSS VectorVendor: https://github.com/lepture/mistune

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 06, 2026 - 18:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 18:22 NVD
7.5 (HIGH) 8.7 (HIGH)
Source Code Evidence Fetched
May 06, 2026 - 17:34 vuln.today
Analysis Generated
May 06, 2026 - 17:34 vuln.today

DescriptionCVE.org

Summary

A ReDoS (Regular Expression Denial of Service) vulnerability in LINK_TITLE_RE allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), with exponential growth per additional byte pair.

Details

The vulnerable regex is defined in src/mistune/helpers.py#L20-L25:

python
LINK_TITLE_RE = re.compile(
    r"[ \t\n]+("
    r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"|'
# "title"
    r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'"
# 'title'
    r")"
)

The double-quote branch compiles to "(?:\\[PUNCTUATION]|[^"\x00])*". The two alternatives inside (A|B)* overlap: a backslash followed by a punctuation character (e.g. \!) can be matched by either branch - as a 2-character escaped-punctuation sequence \\!, or as two individual [^"\x00] characters (\ then !). The same ambiguity exists in the single-quoted title branch.

When the input contains repeated \! pairs with no closing ", the regex engine exhaustively backtracks through all 2^N combinations, resulting in exponential O(2^N) time complexity.

This is reachable through normal Markdown parsing via two code paths:

  1. Inline links: [text](url "PAYLOAD)parse_link()parse_link_title()
  2. Block link reference definitions: [label]: url "PAYLOADBlockParser.parse_ref_link()parse_link_title() at block_parser.py#L259

PoC

python
import mistune
import time

md = mistune.create_markdown()
# Test with increasing N (number of \! pairs)
for n in [15, 18, 20, 22, 25]:
    payload = '[x](y "' + '\\!' * n + ')'
    start = time.time()
    md(payload)
    elapsed = time.time() - start
    print(f"N={n:2d}  len={len(payload):3d} bytes  time={elapsed:.3f}s")

Output (Apple M2, Python 3.14.3, mistune 3.2.0):

N=15  len= 38 bytes  time=0.007s
N=18  len= 44 bytes  time=0.044s
N=20  len= 48 bytes  time=0.178s
N=22  len= 52 bytes  time=0.740s
N=25  len= 58 bytes  time=5.922s

Each increment of N roughly doubles the execution time (consistent with O(2^N)).

The same attack works via block link reference definitions:

python
payload = '[l]: u "' + '\\!' * 25
# 58 bytes, ~6 seconds
md(payload)

Impact

This is a denial of service vulnerability. Any application or service that parses user-supplied Markdown using mistune can be made unresponsive by an attacker submitting a small crafted input (under 100 bytes).

Affected use cases include:

  • Web applications with Markdown-enabled input fields (comments, posts, descriptions)
  • Documentation systems that accept user contributions
  • API endpoints that process Markdown
  • Jupyter tooling such as nbconvert that relies on mistune for rendering

Suggested Fix

Exclude the backslash character from the catch-all character class to eliminate the alternation overlap:

python
# Before (vulnerable):
r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"'
r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'"
# After (fixed):
r'"(?:\\' + PUNCTUATION + r'|[^"\\\x00])*"'
r"'(?:\\" + PUNCTUATION + r"|[^'\\\x00])*'"

This ensures a backslash can only be consumed by the escaped-punctuation branch, eliminating the ambiguity in both the double-quote and single-quote branches. Verified on mistune 3.2.0 (Apple M2, Python 3.14.3):

  • Reduces N=25 from 4.2 seconds to 0.000006 seconds (700,000x improvement)
  • Handles N=50 in 0.000008 seconds
  • Passes all existing functional tests (quoted titles, escaped quotes, escaped punctuation)

AnalysisAI

Regular Expression Denial of Service in mistune's link title parser enables attackers to freeze Python applications with 58-byte Markdown payloads. The LINK_TITLE_RE regex in mistune 3.0.0a1 through 3.2.0 exhibits catastrophic backtracking (O(2^N) time complexity) when parsing link titles with repeated escaped punctuation patterns, blocking a parser thread for approximately 6 seconds on modern hardware with exponential growth per additional byte pair. Publicly available exploit code exists (demonstrated in the GitHub advisory with working PoC), enabling trivial weaponization against web applications, documentation systems, Jupyter tooling, and API endpoints that process user-supplied Markdown. CVSS 8.7 (CVSS:4.0/AV:N/AC:L/PR:N/UI:N/VA:H) reflects the network-accessible, zero-prerequisite nature of the attack, though the High availability impact assumes single-threaded parsing or resource-constrained environments.

Technical ContextAI

The vulnerability resides in mistune's helpers.py module, specifically the LINK_TITLE_RE compiled regular expression used for parsing Markdown link title attributes. This regex contains a nested quantifier with overlapping alternation branches: the pattern '(?:\PUNCTUATION|[^"\x00])*' allows a backslash-punctuation sequence like '\!' to match via either the explicit escape branch (\PUNCTUATION as a 2-character unit) or the catch-all character class (backslash and punctuation as two separate [^"\x00] matches). When the regex engine encounters repeated '\!' pairs without a closing quote delimiter, it must explore all 2^N combinations of how to partition the input between these two overlapping branches, causing exponential-time catastrophic backtracking. This is a textbook instance of CWE-1333 (Inefficient Regular Expression Complexity), where poorly constructed regex alternation leads to algorithmic complexity attacks. The vulnerability is reachable through standard Markdown parsing code paths: inline link syntax '[text](url "PAYLOAD)' via parse_link() and reference-style link definitions '[label]: url "PAYLOAD' via BlockParser.parse_ref_link(), both of which invoke the vulnerable parse_link_title() function. Mistune is a widely-used Python Markdown parser with approximately 7 million downloads per month, deployed in frameworks like Jupyter nbconvert, static site generators, and web applications requiring Markdown rendering.

RemediationAI

Apply the vendor-provided code-level fix by modifying src/mistune/helpers.py to exclude backslash from the catch-all character class in LINK_TITLE_RE: change '(?:\\PUNCTUATION|[^"\x00])*' to '(?:\\PUNCTUATION|[^"\\\x00])*' for double-quoted titles, and similarly for single-quoted titles. This eliminates the alternation overlap that enables exponential backtracking. The fix has been validated by the vendor to reduce N=25 payload processing from 4.2 seconds to 6 microseconds with no functional test regressions, handling N=50 in 8 microseconds. However, no official patched release version is identified in the provided intelligence data-organizations must either apply the regex patch manually to their installed mistune package or monitor https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp for an upcoming release. Compensating controls for environments unable to patch immediately: (1) Implement strict request timeouts (recommended 1-2 seconds maximum for Markdown parsing operations) at the application or reverse proxy layer to prevent thread exhaustion-trade-off is potential false positives on legitimate complex documents; (2) Apply rate limiting to Markdown input endpoints (e.g., 10 requests per minute per IP) to slow mass exploitation attempts-less effective against distributed attacks; (3) Enforce maximum input length restrictions (e.g., 10KB) before passing to mistune, though note the PoC demonstrates impact at only 58 bytes so size limits must be carefully tuned; (4) Deploy mistune parsing in isolated worker processes with CPU/memory resource limits (e.g., Docker containers with cgroup constraints) to contain blast radius-adds operational complexity and latency. None of these mitigations eliminate the vulnerability; upgrading to a patched version once available is the definitive solution.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Module for Python 3 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-33079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy