PyMdown Extensions has ReDOS bug in Figure Capture extension
Description
PyMdown Extensions is a set of extensions for the Python-Markdown markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (pymdownx.blocks.caption). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of pymdownx.blocks.caption until they're able to upgrade.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A ReDoS vulnerability in PyMdown Extensions' figure caption extension can cause denial of service when processing crafted markdown input.
Vulnerability
CVE-2025-68142 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the pymdownx.blocks.caption extension of PyMdown Extensions, a collection of extensions for the Python-Markdown library [1]. The flaw resides in the regular expression used to parse figure caption numbers: RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)'). The subpattern (?:.[1-9][0-9]*)* uses a bare . which matches any character instead of the intended literal period \., leading to catastrophic backtracking on crafted input [4].
Exploitation
The vulnerability is triggered when an attacker supplies markdown content containing a specially crafted string that matches the pattern in an inefficient way. The advisory notes that a proof-of-concept was created demonstrating exponential time increases with longer strings of '1' followed by 'a' [4]. Systems that accept unchecked user-generated markdown without timeouts or other safeguards are at risk. The issue can be triggered by any user able to submit markdown content to a service that uses the figure caption extension [1].
Impact
Successful exploitation can cause prolonged processing of the markdown content, leading to denial of service (DoS) through excessive CPU consumption. This can hang the application, degrade performance for other users, or exhaust server resources. An attacker does not need authentication if the application processes unauthenticated input [1][4].
Mitigation
The vulnerability is patched in PyMdown Extensions release 10.16.1 [2]. The fix corrects the regex to use the escaped period \. [4]. As a workaround, administrators who cannot immediately upgrade are advised to avoid using the pymdownx.blocks.caption extension or to implement input timeouts and size limits [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pymdown-extensionsPyPI | < 10.16.1 | 10.16.1 |
Affected products
2- Range: <10.16.1
- facelessuser/pymdown-extensionsv5Range: < 10.16.1
Patches
1b50d15a56850Caption pattern should match a literal dot (#2717)
3 files changed · +6 −2
docs/src/markdown/about/changelog.md+4 −0 modified@@ -1,5 +1,9 @@ # Changelog +## 10.16.1 + +- **FIX**: Inefficient regular expression pattern for figure caption numbers. + ## 10.16 - **NEW**: Add early support for Python 3.14.
pymdownx/blocks/caption.py+1 −1 modified@@ -31,7 +31,7 @@ from markdown.treeprocessors import Treeprocessor import re -RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)') +RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)') RE_SEP = re.compile(r'[_-]+')
pymdownx/__meta__.py+1 −1 modified@@ -193,5 +193,5 @@ def parse_version(ver: str) -> Version: return Version(major, minor, micro, release, pre, post, dev) -__version_info__ = Version(10, 16, 0, "final") +__version_info__ = Version(10, 16, 1, "final") __version__ = __version_info__._get_canonical()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-r6h4-mm7h-8pmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68142ghsaADVISORY
- github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8ghsax_refsource_MISCWEB
- github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmqghsax_refsource_CONFIRMWEB
- pypi.org/project/pymdown-extensions/10.16.1ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.