CVE-2026-59928
Received Received - Intake

Denial of Service in Mistune Markdown Parser

Vulnerability report for CVE-2026-59928, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, a Markdown document containing many repeated or distinct reference-link definitions causes quadratic work in src/mistune/block_parser.py and the ref_links environment dictionary handling, allowing denial of service through CPU exhaustion. This issue is fixed in version 3.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
lepture mistune to 3.3.0 (exc)
lepture mistune 3.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59928 is a vulnerability in the mistune Python Markdown parser where processing a Markdown document with many repeated or distinct reference-link definitions causes the parser to perform quadratic-time work. This happens because the parser scans forward from every candidate position for each reference link, leading to a significant increase in CPU usage as the number of links grows.

An attacker can exploit this by submitting a relatively small Markdown input containing thousands of reference-link definitions, causing the parser to consume excessive CPU resources and resulting in a denial-of-service (DoS) condition.

The issue is fixed in mistune version 3.3.0 by optimizing the parser to handle reference links in a single forward pass, reducing the time complexity from quadratic to linear.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) on applications using mistune to render untrusted Markdown content.

Specifically, the attacker can submit Markdown documents with many repeated reference-link definitions that cause the parser to consume excessive CPU resources, potentially degrading system performance or making the service unavailable.

Since the attack requires only network access and no privileges, and the attack complexity is low, it poses a high risk to availability of services relying on mistune versions prior to 3.3.0.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage when processing markdown documents with many repeated or distinct reference-link definitions using the mistune package (versions <= 3.2.1).

One practical approach is to test the markdown rendering process with a crafted markdown input containing a large number of repeated reference-link definitions (e.g., `[a]: u\n` repeated thousands of times) and observe the CPU usage or processing time.

For example, you can create a test markdown file with many repeated reference links and measure the time taken by a Python script using mistune to parse it.

A sample command to test parsing time could be:

  • Create a markdown file with repeated reference links: `printf '[a]: u\n%.0s' {1..5000} > test.md`
  • Run a Python script to parse the file and measure time:
  • ```python import time import mistune with open('test.md') as f: content = f.read() start = time.time() markdown = mistune.create_markdown() markdown(content) print('Parsing time:', time.time() - start) ```

If the parsing time is significantly high (e.g., several seconds for 5000+ reference links), the system is likely vulnerable.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the mistune package to version 3.3.0 or later, where the quadratic-time parsing issue has been fixed.

This fix optimizes the parser to handle reference-link definitions in a single forward pass, reducing the time complexity from O(NΒ²) to O(N), preventing CPU exhaustion.

Additionally, if upgrading immediately is not possible, consider limiting or sanitizing untrusted markdown input to reduce the number of reference-link definitions processed.

Compliance Impact

The vulnerability in mistune causes a denial-of-service (DoS) through CPU exhaustion when processing markdown documents with many reference-link definitions. This impacts availability but does not directly affect confidentiality or integrity of data.

Since the issue primarily leads to service unavailability due to high CPU usage, it could indirectly affect compliance with standards like GDPR or HIPAA if those regulations require maintaining service availability or timely processing of data. However, there is no direct indication that this vulnerability leads to data breaches or unauthorized access.

Therefore, the main compliance concern would be related to availability requirements under such regulations, but the provided information does not specify explicit compliance impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart