DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49851: CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser

CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser

Vulnerability ID: CVE-2026-49851
CVSS Score: 7.5
Published: 2026-07-09

CVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.

TL;DR

An algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-407
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • CVSS v4.0 Score: 8.7 (High)
  • Impact: Denial of Service / CPU Exhaustion
  • Exploit Status: PoC available
  • KEV Status: Not listed

Affected Systems

  • Mistune Markdown Parser (PyPI Package)
  • mistune: < 3.3.0 (Fixed in: 3.3.0)

Code Analysis

Commit: d68b0d0

First optimization sweep aiming to skip scanned bracket positions on parsing failure.

Commit: b6b499d

Implemented high-water mark optimization tracking no_close_bracket_before limits.

Commit: 5de41fb

Complete architecture rewrite implementing the linear bracket map cache.

Exploit Details

Mitigation Strategies

  • Upgrade the Mistune dependency to version 3.3.0 or higher.
  • Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.
  • Implement application-level input sanitization to filter or reject abnormal bracket nesting.

Remediation Steps:

  1. Identify all python environments utilizing the mistune package.
  2. Execute pip install --upgrade mistune>=3.3.0 in the target environment.
  3. Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.

References


Read the full report for CVE-2026-49851 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)