Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-68142

CVE-2025-68142: Pymdown Extensions ReDOS Vulnerability

CVE-2025-68142 is a ReDOS denial of service vulnerability in Facelessuser Pymdown Extensions that causes system hangs when processing malicious user content. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-68142 Overview

CVE-2025-68142 is a Regular Expression Denial of Service (ReDoS) vulnerability in PyMdown Extensions, a set of extensions for the Python-Markdown project. The flaw resides in the figure caption block extension (pymdownx.blocks.caption) in versions prior to 10.16.1. The regular expression RE_FIG_NUM contains an unescaped dot that broadens the pattern beyond its intended use, enabling catastrophic backtracking against crafted input. Systems that pass untrusted Markdown content to the extension without timeouts can experience long processing hangs. The issue is tracked under [CWE-1333] and was patched in release 10.16.1.

Critical Impact

Attackers submitting crafted Markdown content can trigger prolonged CPU consumption in applications that render user-supplied input through pymdownx.blocks.caption.

Affected Products

  • Facelessuser PyMdown Extensions versions prior to 10.16.1
  • Python applications embedding pymdownx.blocks.caption for Markdown rendering
  • Web services accepting untrusted Markdown input through PyMdown Extensions

Discovery Timeline

  • 2025-12-16 - CVE-2025-68142 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-68142

Vulnerability Analysis

The vulnerability stems from an unescaped metacharacter in the figure caption regular expression. In regex syntax, an unescaped dot matches any character rather than a literal period. When combined with a repeating group, the pattern permits multiple overlapping matches against long input strings. Crafted payloads can force the regex engine into catastrophic backtracking, causing the parser to hang. The extension processes Markdown before rendering, so any application that accepts untrusted Markdown becomes a viable target. Impact is limited to availability, since the flaw does not corrupt memory or expose data.

Root Cause

The compiled pattern RE_FIG_NUM used [1-9][0-9]*(?:.[1-9][0-9]*)* where the dot inside the non-capturing group was intended to match a literal period between figure numbering segments. Because the dot was not escaped, it matched any character, producing ambiguous parse states across large inputs.

Attack Vector

An unauthenticated remote attacker submits crafted Markdown content to any endpoint that invokes PyMdown Extensions with the caption block enabled. The regex engine consumes CPU cycles proportional to backtracking complexity, degrading service responsiveness for concurrent users.

python
# Security patch in pymdownx/blocks/caption.py
# Caption pattern should match a literal dot (#2717)
from markdown.treeprocessors import Treeprocessor
import re

-RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')
+RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')
RE_SEP = re.compile(r'[_-]+')

Source: GitHub Commit b50d15a

The patch escapes the dot so the group matches only literal periods between figure number segments, eliminating the backtracking condition.

Detection Methods for CVE-2025-68142

Indicators of Compromise

  • Sustained high CPU utilization in Python worker processes that render Markdown
  • Request timeouts or slow responses from endpoints that process user-supplied Markdown
  • Application logs showing extended time spent in pymdownx.blocks.caption code paths

Detection Strategies

  • Inventory Python environments and identify installations of pymdown-extensions below version 10.16.1 using pip list or SBOM data.
  • Review application code for use of the pymdownx.blocks.caption extension in Markdown pipelines.
  • Correlate slow HTTP requests with Markdown rendering routes to identify probing behavior.

Monitoring Recommendations

  • Track process CPU time and wall-clock duration for Markdown rendering workers.
  • Alert on requests to Markdown-processing endpoints that exceed baseline latency thresholds.
  • Log payload sizes for user-submitted Markdown to detect anomalously large or repetitive input.

How to Mitigate CVE-2025-68142

Immediate Actions Required

  • Upgrade pymdown-extensions to version 10.16.1 or later across all environments.
  • Enforce request timeouts and CPU limits on any service that renders untrusted Markdown.
  • Restrict payload size and rate-limit endpoints that accept Markdown from unauthenticated users.

Patch Information

The fix is available in PyMdown Extensions release 10.16.1 on PyPI and documented in the GHSA-r6h4-mm7h-8pmq security advisory. The corrective change is shown in GitHub commit b50d15a.

Workarounds

  • Disable the pymdownx.blocks.caption extension in Markdown configuration until upgrading is possible.
  • Wrap Markdown rendering calls with execution timeouts to bound processing time per request.
  • Sanitize or truncate user-supplied Markdown before passing it to the extension.
bash
# Upgrade to the patched release
pip install --upgrade "pymdown-extensions>=10.16.1"

# Verify installed version
python -c "import pymdownx; print(pymdownx.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.