Python-Markdown Denial-of-Service Vulnerability via Malformed HTML Sequences

A denial-of-service vulnerability has been identified in Python-Markdown versions through 3.8. This issue arises when the Markdown parser encounters malformed HTML-like sequences, specifically '<!['. These sequences trigger an unhandled AssertionError in the 'html.parser.HTMLParser', causing the application to crash. Since Python-Markdown does not catch this exception, any application processing untrusted Markdown can experience a crash. This vulnerability allows for remote, unauthenticated denial-of-service attacks in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown.

Impact

Exploitation of this vulnerability leads to a crash of the application processing the Markdown, causing a denial-of-service condition. Additionally, uncaught exceptions may be exposed, potentially disclosing information through stack traces.

Reproduction

The vulnerability can be reproduced by parsing untrusted Markdown inputs containing malformed HTML-like sequences with Python-Markdown version 3.8. This can be done using a Python script that imports the Markdown library, specifies the crash-inducing inputs, and attempts to process them with the Markdown parser. The resulting uncaught exceptions confirm the crash, demonstrating the vulnerability.

Remediation

Users can upgrade to Python-Markdown version 3.8.1, which addresses this vulnerability by catching the AssertionError and preventing the parser from crashing.