CVE-2026-33079: CWE-1333: Inefficient Regular Expression Complexity in lepture mistune
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.
AI Analysis
Technical Summary
CVE-2026-33079 describes a ReDoS vulnerability in the Mistune Markdown parser, specifically in versions 3.0.0a1 through 3.2.0. The vulnerability is due to the LINK_TITLE_RE regular expression, which contains overlapping alternatives that create ambiguous matching paths. This ambiguity leads to catastrophic backtracking when parsing certain crafted Markdown inputs, such as repeated exclamation marks without a closing quote in link titles. This can cause significant CPU consumption and denial of service in applications that parse Markdown using Mistune.
Potential Impact
An attacker who can supply Markdown input to a vulnerable Mistune parser can cause a denial of service by triggering excessive CPU usage through crafted inputs that exploit the inefficient regular expression. This can make applications unresponsive, impacting availability. There are no indications of privilege escalation, data disclosure, or other impacts beyond denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Users should monitor the Red Hat advisory and the Mistune project for updates. Until a fix is available, consider limiting or sanitizing Markdown input from untrusted sources to reduce exposure to this vulnerability.
CVE-2026-33079: CWE-1333: Inefficient Regular Expression Complexity in lepture mistune
Description
In versions 3.0.0a1 through 3.2.0 of Mistune, there is a ReDoS (Regular Expression Denial of Service) vulnerability in `LINK_TITLE_RE` that allows an attacker who can supply Markdown for parsing to cause denial of service. The regular expression used for parsing link titles contains overlapping alternatives that can trigger catastrophic backtracking. In both the double-quoted and single-quoted branches, a backslash followed by punctuation can be matched either as an escaped punctuation sequence or as two ordinary characters, creating an ambiguous pattern inside a repeated group. If an attacker supplies Markdown containing repeated ! sequences with no closing quote, the regex engine explores an exponential number of backtracking paths. This is reachable through normal Markdown parsing of inline links and block link reference definitions. A small crafted input can therefore cause significant CPU consumption and make applications using Mistune unresponsive.
CVSS v4.0
Score 8.7high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33079 describes a ReDoS vulnerability in the Mistune Markdown parser, specifically in versions 3.0.0a1 through 3.2.0. The vulnerability is due to the LINK_TITLE_RE regular expression, which contains overlapping alternatives that create ambiguous matching paths. This ambiguity leads to catastrophic backtracking when parsing certain crafted Markdown inputs, such as repeated exclamation marks without a closing quote in link titles. This can cause significant CPU consumption and denial of service in applications that parse Markdown using Mistune.
Potential Impact
An attacker who can supply Markdown input to a vulnerable Mistune parser can cause a denial of service by triggering excessive CPU usage through crafted inputs that exploit the inefficient regular expression. This can make applications unresponsive, impacting availability. There are no indications of privilege escalation, data disclosure, or other impacts beyond denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch is indicated in the provided data. Users should monitor the Red Hat advisory and the Mistune project for updates. Until a fix is available, consider limiting or sanitizing Markdown input from untrusted sources to reduce exposure to this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T19:27:06.345Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-33079","vendor":"Red Hat"}]
Threat ID: 69fb7f9ecbff5d8610195779
Added to database: 05/06/2026, 17:51:26 UTC
Last enriched: 06/30/2026, 21:42:15 UTC
Last updated: 07/04/2026, 08:51:22 UTC
Views: 157
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.