CVE-2025-68142 Overview
CVE-2025-68142 is a Regular Expression Denial of Service (ReDoS) vulnerability in PyMdown Extensions, a set of extensions for the Python-Markdown project. The flaw resides in the figure caption block extension (pymdownx.blocks.caption) in versions prior to 10.16.1. The regular expression RE_FIG_NUM contains an unescaped dot that broadens the pattern beyond its intended use, enabling catastrophic backtracking against crafted input. Systems that pass untrusted Markdown content to the extension without timeouts can experience long processing hangs. The issue is tracked under [CWE-1333] and was patched in release 10.16.1.
Critical Impact
Attackers submitting crafted Markdown content can trigger prolonged CPU consumption in applications that render user-supplied input through pymdownx.blocks.caption.
Affected Products
- Facelessuser PyMdown Extensions versions prior to 10.16.1
- Python applications embedding pymdownx.blocks.caption for Markdown rendering
- Web services accepting untrusted Markdown input through PyMdown Extensions
Discovery Timeline
- 2025-12-16 - CVE-2025-68142 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-68142
Vulnerability Analysis
The vulnerability stems from an unescaped metacharacter in the figure caption regular expression. In regex syntax, an unescaped dot matches any character rather than a literal period. When combined with a repeating group, the pattern permits multiple overlapping matches against long input strings. Crafted payloads can force the regex engine into catastrophic backtracking, causing the parser to hang. The extension processes Markdown before rendering, so any application that accepts untrusted Markdown becomes a viable target. Impact is limited to availability, since the flaw does not corrupt memory or expose data.
Root Cause
The compiled pattern RE_FIG_NUM used [1-9][0-9]*(?:.[1-9][0-9]*)* where the dot inside the non-capturing group was intended to match a literal period between figure numbering segments. Because the dot was not escaped, it matched any character, producing ambiguous parse states across large inputs.
Attack Vector
An unauthenticated remote attacker submits crafted Markdown content to any endpoint that invokes PyMdown Extensions with the caption block enabled. The regex engine consumes CPU cycles proportional to backtracking complexity, degrading service responsiveness for concurrent users.
# Security patch in pymdownx/blocks/caption.py
# Caption pattern should match a literal dot (#2717)
from markdown.treeprocessors import Treeprocessor
import re
-RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')
+RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')
RE_SEP = re.compile(r'[_-]+')
Source: GitHub Commit b50d15a
The patch escapes the dot so the group matches only literal periods between figure number segments, eliminating the backtracking condition.
Detection Methods for CVE-2025-68142
Indicators of Compromise
- Sustained high CPU utilization in Python worker processes that render Markdown
- Request timeouts or slow responses from endpoints that process user-supplied Markdown
- Application logs showing extended time spent in pymdownx.blocks.caption code paths
Detection Strategies
- Inventory Python environments and identify installations of pymdown-extensions below version 10.16.1 using pip list or SBOM data.
- Review application code for use of the pymdownx.blocks.caption extension in Markdown pipelines.
- Correlate slow HTTP requests with Markdown rendering routes to identify probing behavior.
Monitoring Recommendations
- Track process CPU time and wall-clock duration for Markdown rendering workers.
- Alert on requests to Markdown-processing endpoints that exceed baseline latency thresholds.
- Log payload sizes for user-submitted Markdown to detect anomalously large or repetitive input.
How to Mitigate CVE-2025-68142
Immediate Actions Required
- Upgrade pymdown-extensions to version 10.16.1 or later across all environments.
- Enforce request timeouts and CPU limits on any service that renders untrusted Markdown.
- Restrict payload size and rate-limit endpoints that accept Markdown from unauthenticated users.
Patch Information
The fix is available in PyMdown Extensions release 10.16.1 on PyPI and documented in the GHSA-r6h4-mm7h-8pmq security advisory. The corrective change is shown in GitHub commit b50d15a.
Workarounds
- Disable the pymdownx.blocks.caption extension in Markdown configuration until upgrading is possible.
- Wrap Markdown rendering calls with execution timeouts to bound processing time per request.
- Sanitize or truncate user-supplied Markdown before passing it to the extension.
# Upgrade to the patched release
pip install --upgrade "pymdown-extensions>=10.16.1"
# Verify installed version
python -c "import pymdownx; print(pymdownx.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

