CVE-2026-33079

NameCVE-2026-33079
DescriptionIn versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1135942

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistune (PTS)bullseye0.8.4-4fixed
bookworm2.0.4-1fixed
trixie3.1.3-1vulnerable
forky, sid3.1.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistunesourcebullseye(not affected)
mistunesourcebookworm(not affected)
mistunesource(unstable)(unfixed)1135942

Notes

[trixie] - mistune <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - mistune <not-affected> (Vulnerable code not present)
[bullseye] - mistune <not-affected> (Vulnerable code not present)
https://github.com/lepture/mistune/security/advisories/GHSA-8mp2-v27r-99xp
Search for package or bug name: Reporting problems