CVE-2022-34749

HIGH

Mistune <2.0.2 - Code Injection

Title source: llm

Description

In mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.

References (3)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TQHXITQ2DSBYOILKHXBSBB7PFBPZHF63/

[Patch, Third Party Advisory] https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2

View Patch ZIP pw:eip

[Release Notes, Third Party Advisory] https://github.com/lepture/mistune/releases

Scores

CVSS v3 7.5

EPSS 0.0052

EPSS Percentile 66.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-1333

Status published

Products (3)

fedoraproject/fedora 37

mistune_project/mistune < 2.0.2

pypi/mistune 2.0.0a1 - 2.0.3PyPI

Published Jul 25, 2022

Tracked Since Feb 18, 2026