CVE-2026-49851: Algorithmic Complexity Denial of Service in Mistune Markdown Parser
Vulnerability ID: CVE-2026-49851
CVSS Score: 7.5
Published: 2026-07-09
CVE-2026-49851 is a high-severity algorithmic complexity vulnerability in the Mistune Markdown parser. Under specific conditions involving dense, unmatched nesting of opening square brackets, the parser fallback loops degrade from linear execution time to a worst-case quadratic complexity. This allows unauthenticated remote attackers to trigger complete CPU exhaustion and subsequent Denial of Service with a highly compact payload.
TL;DR
An algorithmic complexity degradation in the Mistune Markdown parser allows unauthenticated remote attackers to exhaust CPU resources and cause a persistent denial of service via malformed nested bracket sequences.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-407
- Attack Vector: Network
- CVSS v3.1 Score: 7.5 (High)
- CVSS v4.0 Score: 8.7 (High)
- Impact: Denial of Service / CPU Exhaustion
- Exploit Status: PoC available
- KEV Status: Not listed
Affected Systems
- Mistune Markdown Parser (PyPI Package)
-
mistune: < 3.3.0 (Fixed in:
3.3.0)
Code Analysis
Commit: d68b0d0
First optimization sweep aiming to skip scanned bracket positions on parsing failure.
Commit: b6b499d
Implemented high-water mark optimization tracking no_close_bracket_before limits.
Commit: 5de41fb
Complete architecture rewrite implementing the linear bracket map cache.
Exploit Details
- GitHub Security Advisories: Advisory referencing structural algorithmic complexities within the inline parsing engines.
Mitigation Strategies
- Upgrade the Mistune dependency to version 3.3.0 or higher.
- Deploy custom WAF rules to detect and drop payloads with consecutive open brackets.
- Implement application-level input sanitization to filter or reject abnormal bracket nesting.
Remediation Steps:
- Identify all python environments utilizing the mistune package.
- Execute pip install --upgrade mistune>=3.3.0 in the target environment.
- Deploy input inspection middleware to drop inputs containing sequence structures of 30 or more consecutive unmatched brackets.
References
- GitHub Security Advisory GHSA-qcq2-496w-v96p
- National Vulnerability Database record CVE-2026-49851
- Red Hat Security Advisory Record
- Red Hat Bugzilla Bug Tracker
- Red Hat Security CSAF VEX File Export
Read the full report for CVE-2026-49851 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)