PyMdown Extensions ReDOS Vulnerability in Figure Caption Extension

A regular expression denial-of-service (ReDOS) vulnerability has been identified in the PyMdown Extensions library, specifically within the figure caption extension (pymdownx.blocks.caption). This issue affects versions prior to 10.16.1. The vulnerability arises from an inefficient regular expression pattern that can be exploited by crafting a malicious payload, leading to significant delays when processing the data. This vulnerability is particularly concerning in systems that handle unchecked user content.

Impact

Exploitation of this vulnerability can cause prolonged processing times, leading to potential application hangs or slowdowns.

Reproduction

The vulnerability can be reproduced by using a crafted string that exploits the regular expression pattern in the figure caption extension. The pattern, which improperly uses a dot to match any character instead of a literal dot, can be made to accept a long string of repeated characters, causing a delay in processing. This can be done by creating a string that starts with '1' repeated multiple times, followed by an 'a', and matching it against the vulnerable regex pattern. The execution time can be measured to demonstrate the impact.

Remediation

Users can upgrade to PyMdown Extensions version 10.16.1 or later, where this vulnerability has been patched. As an interim measure, avoid using the figure caption extension if processing unknown user content without safeguards.