CVE-2025-69534
Unhandled AssertionError in Python-Markdown 3.8 Causes Remote DoS
Publication date: 2026-03-05
Last updated on: 2026-03-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python-markdown | markdown | 3.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-69534 is a vulnerability in Python-Markdown version 3.8 where malformed HTML-like sequences, specifically those containing the sequence "<![", cause the html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing.'}, {'type': 'paragraph', 'content': 'Because Python-Markdown does not catch this exception, any application processing attacker-controlled Markdown may crash. This happens when the parser encounters malformed inputs that disrupt its handling of XML-style marked sections, leading to uncaught exceptions and crashes.'}, {'type': 'paragraph', 'content': 'The vulnerability was identified through fuzz testing and affects applications using the "extra" extension in Python-Markdown 3.8. It was fixed in version 3.8.1.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause remote Denial of Service (DoS) in any application that parses untrusted Markdown, such as web applications, documentation systems, and CI/CD pipelines.
An attacker can send specially crafted Markdown inputs that trigger uncaught exceptions, causing the application to crash and become unavailable.
Additionally, there is a risk of information disclosure through stack traces if error details are exposed, potentially leaking sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing if your Python-Markdown 3.8 installation with the "extra" extension enabled crashes or raises uncaught exceptions when parsing malformed Markdown inputs containing the sequence "<![".'}, {'type': 'paragraph', 'content': 'A practical detection method is to run a test script that feeds inputs like "<![", "<![>og))/uw_ f{tv+pAr$Ss+[6;^{=<:>g2oV|.pdTMu(Q-E#", or "<![ g\' \\" 7z5r7cojSO;2LAo0(1Vv5G>,-P" to the Markdown parser and observe if it crashes or throws exceptions.'}, {'type': 'paragraph', 'content': 'For example, you can use a Python script that imports markdown with the extra extension enabled and attempts to parse these inputs. If the parser crashes or raises an unhandled AssertionError, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided, but fuzz testing or targeted input testing on your Markdown processing service is recommended.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Python-Markdown from version 3.8 to version 3.8.1 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'Until the upgrade is applied, avoid processing untrusted Markdown inputs that may contain malformed HTML-like sequences such as "<![" to reduce the risk of Denial of Service.'}, {'type': 'paragraph', 'content': 'Additionally, consider implementing input validation or sanitization to filter out or escape suspicious sequences before parsing.'}] [1, 2]