CVE-2026-59925
Received Received - Intake

ReDoS in Mistune Markdown Parser via Quadratic Parsing

Vulnerability report for CVE-2026-59925, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
lepture mistune 3.2.1
lepture mistune to 3.3.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59925 is a denial-of-service vulnerability in the Mistune Python Markdown parser versions 3.2.1 and earlier. The issue arises because the parser processes long sequences of double-asterisk or triple-asterisk emphasis pairs (like **x** or ***x***) in a way that causes quadratic-time complexity. Specifically, the parser scans forward from every potential opening emphasis marker to find matching closing markers, resulting in excessive computational work.

This inefficient scanning leads to significant CPU consumption when processing specially crafted input with many repeated emphasis pairs, allowing an attacker to cause a denial of service by making the parser spend a long time processing the input.

The vulnerability is fixed in Mistune version 3.3.0 by changing the parsing approach to avoid this quadratic behavior.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial of service (DoS) on systems using vulnerable versions of the Mistune Markdown parser. By sending specially crafted Markdown input with long sequences of emphasis markers, the attacker can cause the parser to consume excessive CPU resources.

This can lead to service disruption, slowdowns, or crashes in applications that rely on Mistune for Markdown parsing, potentially affecting availability.

The vulnerability requires no authentication and affects the default configuration, making it easier for attackers to exploit remotely.

Detection Guidance

This vulnerability can be detected by identifying if your system is running Mistune versions 3.2.1 or earlier, which are affected by the denial-of-service issue caused by quadratic-time parsing of long sequences of emphasis pairs.

To detect exploitation attempts or presence of the vulnerability, you can monitor for unusually high CPU usage when processing Markdown content, especially when the input contains long sequences of double-asterisk or triple-asterisk emphasis pairs.

There are no specific commands provided in the resources, but general detection steps include:

  • Check the installed Mistune version with a Python command such as: `pip show mistune` or `pip freeze | grep mistune`.
  • Monitor CPU usage during Markdown parsing to detect spikes that could indicate exploitation.
  • Use network or application logs to identify requests containing long sequences of '**' or '***' repeated many times.
Mitigation Strategies

The immediate mitigation step is to upgrade Mistune to version 3.3.0 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, consider limiting or sanitizing Markdown input to prevent long sequences of double-asterisk or triple-asterisk emphasis pairs that trigger the quadratic parsing behavior.

Additionally, monitoring and rate-limiting requests that contain suspicious Markdown payloads can help reduce the risk of denial-of-service attacks exploiting this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart