+ "details": "### Summary\nMistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. A relatively small input consisting of repeated [ characters causes significant parsing slowdown.\n\n### Affected component\nmistune/inline_parser.py → **parse_link_text**\n\n### Description\nWhen parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior.\nAn attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload.\n\n### Root cause\nThe vulnerability stems from a two-loop interaction:\n- The outer loop in `InlineParser.parse()` (inline_parser.py) advances \n only 1 character at a time when parse_link() returns None\n- Each failed attempt calls `parse_link_text()` which performs an O(n) \n scan to the end of the string looking for a closing `]`\n- With n consecutive `[` characters, this results in O(n) × O(n) = O(n²) \n total work\n\n### PoC\nRun below python script\n```\nimport mistune\nimport time\n\nmd = mistune.create_markdown()\n\ns = \"[\" * 6400\n\nt = time.perf_counter()\nmd(s)\nprint(time.perf_counter() - t)\n```\n<img width=\"2028\" height=\"1277\" alt=\"image\" src=\"https://github.com/user-attachments/assets/15d5bc0b-35f8-4a15-85e0-cbc314a45b06\" />\n\n**Benmark poc**\nRun below code for benchmark\n```\nimport mistune\nimport time\n\nmd = mistune.create_markdown()\n\nsizes = [100,200,400,800,1600,3200,6400]\n\nfor n in sizes:\n s = \"[\" * n\n\n t0 = time.perf_counter()\n md(s)\n dt = time.perf_counter() - t0\n\n print(f\"{n:6d} {dt:.6f}\")\n```\n<img width=\"2503\" height=\"1341\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f09a7bbb-6927-4ba2-afb1-444dd913b84e\" />\n\n\n### Observed behaviour\n```\npython3 benchmark.py \n 100 0.001609\n 200 0.003207\n 400 0.012906\n 800 0.050220\n 1600 0.197307\n 3200 0.801172\n 6400 3.190393\n```\nExecution time grows superlinearly, consistent with O(n²) complex\n\n### Impact\nThis can be used as a denial-of-service attack in any application that parses user-supplied Markdown using Mistune, including:\n\n- Web applications (comments, posts, content rendering)\n- API services processing Markdown\n- Documentation rendering systems\n- A small (~6 KB) payload can block CPU for multiple seconds.\n\n### Suggested fix\nReturn the furthest scanned position from parse_link_text even on failure, so the outer loop can skip ahead instead of advancing 1 character at a time\n\n### Security Classification\nCWE-400: Uncontrolled Resource Consumption\nDenial of Service (CPU exhaustion)",
0 commit comments