<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mistune (&lt; 3.3.0) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mistune--3.3.0/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 09 Jul 2026 23:53:38 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mistune--3.3.0/feed.xml" rel="self" type="application/rss+xml"/><item><title>Mistune Markdown Parser Vulnerable to CPU Exhaustion DoS (CVE-2026-49851)</title><link>https://feed.craftedsignal.io/briefs/2026-07-mistune-dos/</link><pubDate>Thu, 09 Jul 2026 23:53:38 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-mistune-dos/</guid><description>The Mistune Python Markdown parser is vulnerable to a CPU exhaustion Denial of Service (DoS) attack, identified as CVE-2026-49851, due to a superlinear (O(n²)) parsing behavior in the `parse_link_text` function when processing specially crafted input containing repeated square brackets, allowing an attacker to significantly degrade application performance with a small payload.</description><content:encoded><![CDATA[<p>A significant CPU exhaustion Denial of Service (DoS) vulnerability, tracked as CVE-2026-49851, has been identified in the Mistune Python Markdown parser. This vulnerability stems from inefficient parsing logic within the <code>parse_link_text</code> function, which exhibits superlinear (approximately O(n²)) time complexity when processing specific malicious inputs. Attackers can exploit this by submitting Markdown content containing a large number of consecutive <code>[</code> characters. This forces Mistune to repeatedly scan and re-scan the input, leading to excessive CPU utilization. The issue affects Mistune versions prior to 3.3.0 and poses a critical risk to any application that uses Mistune to process user-supplied Markdown, including web applications, API services, and documentation rendering systems.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious Markdown payload consisting of a large number of consecutive opening square bracket characters (e.g., <code>s = &quot;[&quot; * 6400</code>).</li>
<li>The malicious Markdown payload is delivered to a target application that uses Mistune for parsing user-supplied content, via HTTP request body, API input, or other means.</li>
<li>The application processes the input, invoking the <code>mistune.create_markdown()</code> function to parse the content.</li>
<li>During parsing, the <code>InlineParser.parse()</code> function in <code>mistune/inline_parser.py</code> attempts to interpret the malformed link text.</li>
<li>When <code>parse_link()</code> fails to find a valid link, the outer loop in <code>InlineParser.parse()</code> advances only one character at a time.</li>
<li>Each failed attempt triggers <code>parse_link_text()</code> which performs an O(n) scan to the end of the string searching for a closing <code>]</code>.</li>
<li>The combination of the O(n) scan in <code>parse_link_text()</code> within an outer loop that iterates O(n) times results in a total O(n²) CPU exhaustion, causing the application to become unresponsive or crash.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-49851 can lead to a denial of service for any application that parses user-supplied Markdown using vulnerable versions of Mistune. This includes web applications handling comments or posts, API services processing Markdown content, and documentation rendering systems. With a relatively small malicious payload (e.g., 6,400 characters, approximately 6 KB), an attacker can cause CPU exhaustion for multiple seconds on the targeted server, significantly degrading performance or rendering the service completely unavailable. There is no specific victim count or sector mentioned, but any organization using vulnerable Mistune installations in internet-facing applications is at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch the Mistune library to version 3.3.0 or later to address <strong>CVE-2026-49851</strong>.</li>
<li>Implement robust input validation and sanitization for all user-supplied Markdown content processed by your applications to prevent malformed inputs that exploit <strong>CVE-2026-49851</strong>.</li>
<li>Monitor application CPU usage for unexpected spikes as a potential indicator of a DoS attack attempt.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>python</category><category>library</category><category>vulnerability</category><category>markdown</category></item></channel></rss>