GHSA-hjph-f4mc-wx4c: Duplicate Advisory: Mistune has a ReDoS in LINK_TITLE_RE that allows denial of service via crafted Markdown input

May 6, 2026

Denial-of-Service (DoS) vulnerability in the Mistune Markdown parser. The issue occurs when processing specially crafted reference links, which can cause excessive parsing and CPU consumption, leading to application hangs.

Function affected: parse_link_title() in helpers.py Issue: Malformed reference links cause excessive backtracking and parsing loops. Impact: Remote attackers can submit malicious Markdown to hang processes, causing service unavailability.

References

github.com/advisories/GHSA-hjph-f4mc-wx4c
github.com/lepture/mistune
github.com/lepture/mistune/security/advisories/GHSA-hjph-f4mc-wx4c

Code Behaviors & Features

Detect and mitigate GHSA-hjph-f4mc-wx4c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →