Executive Summary

Mistune, a Markdown parser, is vulnerable to a denial-of-service (DoS) attack due to a quadratic-time parsing vulnerability in the `parse_link_text` function. This vulnerability can be exploited by an attacker to cause excessive CPU usage, leading to a denial of service. The vulnerability has a CVSS score of 8.7 and is classified as CWE-400: Uncontrolled Resource Consumption.

Technical Analysis

The vulnerability is caused by the interaction of two loops in the `InlineParser.parse()` function and the `parse_link_text()` function. When parsing Markdown containing many consecutive '[' characters, `parse_link_text` repeatedly scans the input using a regex search inside a loop, resulting in quadratic-time behavior. This allows an attacker to trigger excessive CPU usage with a very small payload.

How It Gets Exploited

An attacker can exploit this vulnerability by providing a specially crafted Markdown input consisting of repeated '[' characters. For example, an attacker could send a Markdown payload with 6400 consecutive '[' characters to a web application that uses Mistune to parse Markdown. When the application attempts to parse this input, the `parse_link_text` function will consume excessive CPU, leading to a denial of service.

Impact Assessment

This vulnerability affects any application that uses Mistune to parse user-supplied Markdown, including web applications, API services, and documentation rendering systems. A small (~6 KB) payload can block CPU for multiple seconds, making it a significant threat to the availability of these systems. The CVSS score for this vulnerability is 8.7, indicating a high severity level.

Recommended Actions

To mitigate this vulnerability, users of Mistune should update to a version that includes the fix, which returns the furthest scanned position from `parse_link_text` even on failure, allowing the outer loop to skip ahead instead of advancing 1 character at a time. In the meantime, users can implement input validation and limits on the size of Markdown input to prevent exploitation.

Sources

- GitHub Security Advisories: https://github.com/advisories/GHSA-qcq2-496w-v96p - CVE-2026-49851: https://nvd.nist.gov/vuln/detail/CVE-2026-49851