2422887 – (CVE-2025-68142) CVE-2025-68142 PyMdown: pymdown-extensions: PyMdown Extensions: Regular Expression Denial of Service in figure caption extension

Bug 2422887 (CVE-2025-68142) - CVE-2025-68142 PyMdown: pymdown-extensions: PyMdown Extensions: Regular Expression Denial of Service in figure caption extension

Summary: CVE-2025-68142 PyMdown: pymdown-extensions: PyMdown Extensions: Regular Expre...

Keywords:
Status:	NEW
Alias:	CVE-2025-68142
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2423130 2423131
Blocks:
TreeView+	depends on / blocked

Reported:	2025-12-16 19:01 UTC by OSIDB Bzimport
Modified:	2025-12-17 09:35 UTC (History)
CC List:	29 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-12-16 19:01:52 UTC

PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they're able to upgrade.

Note You need to log in before you can comment on or make changes to this bug.

abarbaro
alcohan
alizardo
amctagga
anjoseph
aoconnor
bniver
flucifre
gmeno
gparvin
groman
jbalunas
jchui
jhe
jprabhak
ktsao
lgamliel
mbenjamin
mhackett
nboldt
owatkins
pahickey
psrna
rfreiman
rhaigner
sdawley
sostapov
vereddy
wtam