Description
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.
Published: 2026-05-06
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mistune is a popular Python Markdown parser. A ReDoS flaw exists in the LINK_TITLE_RE regular expression used for parsing link titles. The pattern contains overlapping alternatives that trigger catastrophic backtracking when an attacker supplies a crafted title with repeated exclamation marks and no closing quote. The resulting exponential CPU consumption can make the application using Mistune become unresponsive, thereby causing a denial of service. The vulnerability is ranked as CWE‑1333, indicating an overly complex or inefficient regular expression.

Affected Systems

All applications that embed Mistune versions 3.0.0a1 through 3.2.0 are affected. The flaw is present in the source file mistune/helpers.py and applies to both inline links and block link reference definitions in Markdown documents.

Risk and Exploitability

The CVSS base score of 8.7 denotes high severity, and the EPSS score is not available, meaning no publicly documented exploitation probability. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the denial of service by supplying crafted Markdown content to any component that renders it without input validation, requiring no additional privileges and deliverable remotely through normal input channels. Immediate patching is recommended.

Generated by OpenCVE AI on May 6, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mistune to the most recent stable release that includes the fixed LINK_TITLE_RE regex.
  • If an upgrade cannot be performed immediately, constrain the length of Markdown titles or enforce a timeout on Markdown rendering operations to prevent excessive CPU consumption.
  • Monitor service metrics and logs for abnormal CPU spikes that could indicate exploitation attempts, and consider disabling Markdown rendering for untrusted input until a patch is applied.

Generated by OpenCVE AI on May 6, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8mp2-v27r-99xp Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input
History

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.
Title Mistune ReDoS in LINK_TITLE_RE allows denial of service with crafted Markdown titles
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T19:02:51.759Z

Reserved: 2026-03-17T19:27:06.345Z

Link: CVE-2026-33079

cve-icon Vulnrichment

Updated: 2026-05-06T19:02:48.489Z

cve-icon NVD

Status : Received

Published: 2026-05-06T18:16:03.097

Modified: 2026-05-06T20:16:31.370

Link: CVE-2026-33079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T20:45:05Z

Weaknesses