CVE-2026-59925

NameCVE-2026-59925
DescriptionMistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mistune (PTS)bullseye0.8.4-4vulnerable
bookworm2.0.4-1vulnerable
trixie3.1.3-1vulnerable
forky, sid3.1.4-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mistunesource(unstable)(unfixed)

Notes

[trixie] - mistune <no-dsa> (Minor issue)
https://github.com/lepture/mistune/security/advisories/GHSA-4j32-57v6-6g45
Fixed by: https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f (v3.3.0)

Search for package or bug name: Reporting problems