CVE-2022-34749: Mistune vulnerable to catastrophic backtracking
(updated )
In Mistune through 2.0.2, support of inline markup is implemented by using regular expressions that can involve a high amount of backtracking on certain edge cases. This behavior is commonly named catastrophic backtracking.
References
- github.com/advisories/GHSA-fw3v-x4f2-v673
- github.com/lepture/mistune
- github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2
- github.com/lepture/mistune/commit/ca1e7b506850f4e488823fc7338b49a8f9852718
- github.com/lepture/mistune/issues/314
- github.com/lepture/mistune/releases
- github.com/pypa/advisory-database/tree/main/vulns/mistune/PYSEC-2022-237.yaml
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TQHXITQ2DSBYOILKHXBSBB7PFBPZHF63
- nvd.nist.gov/vuln/detail/CVE-2022-34749
Detect and mitigate CVE-2022-34749 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →