CVE-2026-59922
Received Received - Intake

ReDoS in Mistune Markdown Parser via Quadratic Marker Scanning

Vulnerability report for CVE-2026-59922, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a run of closed tilde, equals-sign, or caret marker pairs around a character causes quadratic work in src/mistune/plugins/formatting.py when the strikethrough, mark, or insert plugin scans for matching markers from each possible start position, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
lepture mistune to 3.3.0 (exc)
lepture mistune 3.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59922 is a vulnerability in the Mistune Python Markdown parser, specifically in versions prior to 3.3.0. The issue arises when the parser processes sequences of formatting markers such as strikethrough (~~), mark (==), or insert (^^). The parser scans for matching closing markers from every possible start position, causing the processing time to grow quadratically with the input size.

This quadratic-time parsing leads to excessive CPU usage when handling crafted markdown inputs with many repeated formatting markers, resulting in a denial-of-service (DoS) condition through CPU exhaustion.

Impact Analysis

This vulnerability can cause denial of service by exhausting CPU resources when processing specially crafted markdown inputs containing long sequences of formatting markers.

  • An attacker can submit markdown payloads with repeated strikethrough, mark, or insert markers that cause the parser to consume excessive CPU time.
  • The attack is network-reachable and requires no authentication, making it possible to disrupt services that use Mistune for markdown rendering.
  • Applications enabling these plugins for GitHub-flavored Markdown compatibility are particularly at risk.

Overall, the impact is a high-severity denial-of-service condition affecting availability.

Detection Guidance

This vulnerability can be detected by identifying if the mistune Python package version in use is 3.2.1 or earlier, as these versions are affected by the quadratic-time parsing issue in the formatting plugin.

Since the vulnerability causes excessive CPU usage when processing markdown inputs with repeated strikethrough (~~), mark (==), or insert (^^) markers, monitoring for unusually high CPU consumption during markdown parsing can be an indicator.

To detect the vulnerable version on your system, you can run the following command to check the installed mistune version:

  • python -m pip show mistune

If the version is 3.2.1 or earlier, the system is vulnerable.

Additionally, to detect exploitation attempts, you can monitor logs or network traffic for markdown inputs containing long sequences of repeated formatting markers such as '~~', '==', or '^^'.

Mitigation Strategies

The immediate mitigation step is to upgrade the mistune package to version 3.3.0 or later, where this vulnerability has been fixed by optimizing the parsing logic to avoid quadratic-time complexity.

If upgrading is not immediately possible, consider disabling the strikethrough, mark, and insert plugins in mistune, as these are the components affected by the vulnerability.

Additionally, you can implement input validation or rate limiting on markdown inputs to prevent large or malicious payloads with repeated formatting markers from being processed.

Compliance Impact

This vulnerability causes a denial-of-service (DoS) condition through CPU exhaustion by exploiting inefficient parsing in the Mistune Markdown parser. The primary impact is on availability, as indicated by the CVSS score and description.

There is no direct information in the provided context or resources linking this vulnerability to compliance issues with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart