Source: mistune Version: 3.1.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 3.1.4-1
Hi, The following vulnerability was published for mistune. CVE-2026-33079[0]: | In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS | (Regular Expression Denial of Service) vulnerability in | `LINK_TITLE_RE` that allows an attacker who can supply Markdown for | parsing to cause denial of service. The regular expression used for | parsing link titles contains overlapping alternatives that can | trigger catastrophic backtracking. In both the double-quoted and | single-quoted branches, a backslash followed by punctuation can be | matched either as an escaped punctuation sequence or as two ordinary | characters, creating an ambiguous pattern inside a repeated group. | If an attacker supplies Markdown containing repeated ! sequences | with no closing quote, the regex engine explores an exponential | number of backtracking paths. This is reachable through normal | Markdown parsing of inline links and block link reference | definitions. A small crafted input can therefore cause significant | CPU consumption and make applications using Mistune unresponsive. Note there is no upstream fix at time of writing for this, but filling a bug for tracking. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33079 https://www.cve.org/CVERecord?id=CVE-2026-33079 [1] https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp Regards, Salvatore
