Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.
Published: 2026-06-24
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A denial‑of‑service vulnerability exists in the Mistune Markdown parser caused by quadratic‑time processing within the parse_link_text function. The parser repeatedly applies a regular expression search in a loop, re‑scanning large portions of the remaining input on each iteration. When an attacker supplies Markdown that contains many consecutive '[' characters, the parser consumes excessive CPU time, potentially exhausting system resources and disrupting service. The flaw is classified as CWE‑400, CWE‑407, and CWE‑770.

Affected Systems

The affected product is Mistune from the lepture vendor. All versions prior to 3.3.0 are vulnerable. Any application that imports Mistune to render user‑supplied or untrusted Markdown may be susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the vulnerability is not listed in the CISA KEV catalog. EPSS data is not available. Exploitation is likely possible from a remote attacker by delivering a crafted Markdown document to an application that parses the content. The attacker only needs to supply a small payload containing multiple '[' characters to trigger the quadratic‑time behavior, leading to intense CPU usage and possible service interruption.

Generated by OpenCVE AI on June 24, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mistune to version 3.3.0 or newer
  • Validate or sanitize input before rendering Markdown to mitigate excessive CPU consumption
  • Implement rate‑limiting or input size restrictions on requests that involve Markdown rendering to reduce risk of DoS

Generated by OpenCVE AI on June 24, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Lepture
Lepture mistune
Vendors & Products Lepture
Lepture mistune

Wed, 24 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.
Title Mistune: Potential DoS via quadratic-time parsing in parse_link_text
Weaknesses CWE-400
CWE-407
CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lepture Mistune
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T17:05:33.602Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49851

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:00:05Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-407

    Inefficient Algorithmic Complexity

  • CWE-770

    Allocation of Resources Without Limits or Throttling