Impact
A recursion error can be triggered when two Markdown files use the :include: directive to reference each other, causing unbounded recursion in the Mistune renderer and a RecursionError that crashes the rendering process. The weakness arises from insufficient cycle detection (CWE‑674) and resulting stack exhaustion (CWE‑755). The flaw also reveals a potential infinite loop condition (CWE‑835).
Affected Systems
The issue affects the Mistune Markdown parser released by the developer Lepture. Versions of Mistune prior to 3.3.0 are vulnerable and should be considered impacted.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity denial‑of‑service risk. The EPSS score of < 1% indicates a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by providing two attacker‑controlled Markdown files that include each other, which forces the application to recuse until the interpreter stack limit is hit, thereby crashing the request handler. No remote code execution or elevated privilege is possible through this vector.
OpenCVE Enrichment