CVE-2026-59925
HIGHinline_parser: quadratic-time parsing on long runs of `**x**` and `***x***` emphasis pairs
Title source: cnaDescription
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, long sequences of well-formed double-asterisk or triple-asterisk emphasis pairs around a character cause quadratic work in src/mistune/inline_parser.py because the parser scans forward for matching close markers from every potential opening run, allowing denial of service in default Mistune parsing. This issue is fixed in version 3.3.0.
References (3)
Core 3
Core References
X_Refsource_Misc x_refsource_misc
https://github.com/lepture/mistune/releases/tag/v3.3.0
X_Refsource_Confirm x_refsource_confirm
https://github.com/lepture/mistune/security/advisories/GHSA-4j32-57v6-6g45
X_Refsource_Misc x_refsource_misc
https://github.com/lepture/mistune/commit/5de41fb8e527004dbc363e047a3c380c9288c74f
Scores
CVSS v3
7.5
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
CWE-407
Status
published
Products (1)
lepture/mistune
< 3.3.0
Published
Jul 08, 2026
Tracked Since
Jul 08, 2026