Description
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.
Published: 2026-06-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A denial‑of‑service vulnerability exists in the Mistune Markdown parser caused by quadratic‑time processing within the parse_link_text function. The parser repeatedly applies a regular expression search in a loop, re‑scanning large portions of the remaining input on each iteration. When an attacker supplies Markdown that contains many consecutive '[' characters, the parser consumes excessive CPU time, potentially exhausting system resources and disrupting service. The flaw is classified as CWE‑1333, CWE‑400, CWE‑407, and CWE‑770.

Affected Systems

The affected product is Mistune from the lepture vendor. All versions prior to 3.3.0 vulnerable. Any application that imports Mistune to render user‑supplied or untrusted Markdown may be susceptible.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the vulnerability is not listed in the CISA KEV catalog. The EPSS score of 0.00253 (<1%) indicates a very low exploitation probability, but an attacker can still trigger the denial‑of‑service by sending a small payload of many consecutive '[' characters. Exploitation is likely possible from a remote attacker by delivering a crafted Markdown document to an application that parses the content. The attacker only needs to supply a small payload containing multiple '[' characters to trigger the quadratic‑time behavior, leading to intense CPU usage and possible service interruption.

Generated by OpenCVE AI on June 26, 2026 at 02:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mistune to version 3.3.0 or newer
  • Validate or sanitize input before rendering Markdown to mitigate excessive CPU consumption
  • Implement rate‑limiting or input size restrictions on requests that involve Markdown rendering to reduce risk of DoS

Generated by OpenCVE AI on June 26, 2026 at 02:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qcq2-496w-v96p Mistune: Potential DoS via quadratic-time parsing in parse_link_text
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1333
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Lepture
Lepture mistune
Vendors & Products Lepture
Lepture mistune

Wed, 24 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior. An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload. This vulnerability is fixed in 3.3.0.
Title Mistune: Potential DoS via quadratic-time parsing in parse_link_text
Weaknesses CWE-400
CWE-407
CWE-770
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-15T00:47:30.206Z

Reserved: 2026-06-01T22:03:19.640Z

Link: CVE-2026-49851

cve-icon Vulnrichment

Updated: 2026-07-02T12:04:41.671Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-24T17:05:33Z

Links: CVE-2026-49851 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T02:15:15Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-407

    Inefficient Algorithmic Complexity

  • CWE-770

    Allocation of Resources Without Limits or Throttling