Skip to content

Commit 96347f9

Browse files
1 parent 8e03653 commit 96347f9

1 file changed

Lines changed: 78 additions & 0 deletions

File tree

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qcq2-496w-v96p",
4+
"modified": "2026-07-09T23:52:28Z",
5+
"published": "2026-07-09T23:52:27Z",
6+
"aliases": [
7+
"CVE-2026-49851"
8+
],
9+
"summary": " Mistune: Potential DoS via quadratic-time parsing in parse_link_text",
10+
"details": "### Summary\nMistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. A relatively small input consisting of repeated [ characters causes significant parsing slowdown.\n\n### Affected component\nmistune/inline_parser.py → **parse_link_text**\n\n### Description\nWhen parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior.\nAn attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload.\n\n### Root cause\nThe vulnerability stems from a two-loop interaction:\n- The outer loop in `InlineParser.parse()` (inline_parser.py) advances \n only 1 character at a time when parse_link() returns None\n- Each failed attempt calls `parse_link_text()` which performs an O(n) \n scan to the end of the string looking for a closing `]`\n- With n consecutive `[` characters, this results in O(n) × O(n) = O(n²) \n total work\n\n### PoC\nRun below python script\n```\nimport mistune\nimport time\n\nmd = mistune.create_markdown()\n\ns = \"[\" * 6400\n\nt = time.perf_counter()\nmd(s)\nprint(time.perf_counter() - t)\n```\n<img width=\"2028\" height=\"1277\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15d5bc0b-35f8-4a15-85e0-cbc314a45b06\" />\n\n**Benmark poc**\nRun below code for benchmark\n```\nimport mistune\nimport time\n\nmd = mistune.create_markdown()\n\nsizes = [100,200,400,800,1600,3200,6400]\n\nfor n in sizes:\n s = \"[\" * n\n\n t0 = time.perf_counter()\n md(s)\n dt = time.perf_counter() - t0\n\n print(f\"{n:6d} {dt:.6f}\")\n```\n<img width=\"2503\" height=\"1341\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f09a7bbb-6927-4ba2-afb1-444dd913b84e\" />\n\n\n### Observed behaviour\n```\npython3 benchmark.py \n 100 0.001609\n 200 0.003207\n 400 0.012906\n 800 0.050220\n 1600 0.197307\n 3200 0.801172\n 6400 3.190393\n```\nExecution time grows superlinearly, consistent with O(n²) complex\n\n### Impact\nThis can be used as a denial-of-service attack in any application that parses user-supplied Markdown using Mistune, including:\n\n- Web applications (comments, posts, content rendering)\n- API services processing Markdown\n- Documentation rendering systems\n- A small (~6 KB) payload can block CPU for multiple seconds.\n\n### Suggested fix\nReturn the furthest scanned position from parse_link_text even on failure, so the outer loop can skip ahead instead of advancing 1 character at a time\n\n### Security Classification\nCWE-400: Uncontrolled Resource Consumption\nDenial of Service (CPU exhaustion)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "PyPI",
25+
"name": "mistune"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"fixed": "3.3.0"
36+
}
37+
]
38+
}
39+
]
40+
}
41+
],
42+
"references": [
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/lepture/mistune/security/advisories/GHSA-qcq2-496w-v96p"
46+
},
47+
{
48+
"type": "ADVISORY",
49+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49851"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://access.redhat.com/security/cve/CVE-2026-49851"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492304"
58+
},
59+
{
60+
"type": "PACKAGE",
61+
"url": "https://github.com/lepture/mistune"
62+
},
63+
{
64+
"type": "WEB",
65+
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49851.json"
66+
}
67+
],
68+
"database_specific": {
69+
"cwe_ids": [
70+
"CWE-400",
71+
"CWE-1333"
72+
],
73+
"severity": "HIGH",
74+
"github_reviewed": true,
75+
"github_reviewed_at": "2026-07-09T23:52:27Z",
76+
"nvd_published_at": "2026-06-24T18:17:18Z"
77+
}
78+
}

0 commit comments

Comments
 (0)