CVE-2026-33079

Name of the Vulnerable Software and Affected Versions Mistune versions 3.0.0a1 through 3.2.0

Description A Regular Expression Denial of Service (ReDoS) exists in the LINK TITLE RE regular expression. An attacker can provide specially crafted Markdown for parsing that triggers catastrophic backtracking, leading to exponential O(2^N) time complexity and significant CPU consumption. This occurs because the regular expression used for parsing link titles contains overlapping alternatives in both double-quoted and single-quoted branches; specifically, a backslash followed by punctuation can be matched as either an escaped sequence or as two ordinary characters. This ambiguity is reachable through normal Markdown parsing of inline links via parse link() and parse link title(), as well as block link reference definitions via BlockParser.parse ref link() and parse link title(). A small input, such as a document under 100 bytes containing repeated backslash and exclamation mark sequences without a closing quote, can make applications unresponsive.

Recommendations For versions 3.0.0a1 through 3.2.0, exclude the backslash character from the catch-all character class in the LINK TITLE RE regular expression to eliminate alternation overlap.