Mistune ReDoS Vulnerability in LINK_TITLE_RE Allowing Denial-of-Service

A Regular Expression Denial-of-Service (ReDoS) vulnerability has been identified in the Mistune Markdown parser, specifically in versions 3.0.0a1 through 3.2.0. The issue arises within the 'LINK_TITLE_RE' regular expression, which is used to parse link titles in Markdown. The vulnerability allows an attacker to cause a denial-of-service condition by supplying crafted Markdown that exploits overlapping alternatives in the regex, leading to catastrophic backtracking. This backtracking can be triggered through normal Markdown parsing of inline links and block link reference definitions, causing significant CPU consumption and unresponsiveness in applications using Mistune.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing applications that parse user-supplied Markdown with Mistune to become unresponsive. This can disrupt services or applications that rely on real-time user interaction or processing.

Reproduction

The vulnerability can be reproduced by using the Mistune Markdown parser to process crafted input that takes advantage of the regex overlap in 'LINK_TITLE_RE'. This can be done by creating inline links or block link reference definitions that include repeated sequences of escaped punctuation, such as backslashes followed by punctuation characters, which the regex interprets ambiguously. The resulting backtracking can be measured to demonstrate the denial-of-service effect.

Remediation

To address this vulnerability, the backslash character should be excluded from the catch-all character class in the 'LINK_TITLE_RE' regex. This modification eliminates the overlap by ensuring that a backslash can only be interpreted as an escape for punctuation, removing the ambiguity that leads to catastrophic backtracking.