GoogleOSV:GHSA-FW3V-X4F2-V673Mistune vulnerable to catastrophic backtracking
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
45.9%
In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
References
github.com/lepture/mistune
github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2
github.com/lepture/mistune/commit/ca1e7b506850f4e488823fc7338b49a8f9852718
github.com/lepture/mistune/issues/314#issuecomment-1223972386
github.com/lepture/mistune/releases
github.com/pypa/advisory-database/blob/main/vulns/mistune/PYSEC-2022-237.yaml
github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2022-237.yaml
lists.fedoraproject.org/archives/list/[email protected]/message/TQHXITQ2DSBYOILKHXBSBB7PFBPZHF63
nvd.nist.gov/vuln/detail/CVE-2022-34749
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
45.9%