CVE-2025-68142

5.3 MEDIUM
Published: December 16, 2025 Modified: February 03, 2026
View on NVD

Description

PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they're able to upgrade.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8
Source: security-advisories@github.com
Patch
https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq
Source: security-advisories@github.com
Exploit Patch Vendor Advisory
https://pypi.org/project/pymdown-extensions/10.16.1
Source: security-advisories@github.com
Product Release Notes

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.3 / 10.0
EPSS (Exploit Probability)
0.1%
22th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-1333

Affected Vendors

facelessuser

Related CVEs

CVE-2026-33340 9.1
CVE-2025-11571 N/A
CVE-2026-33700 N/A
CVE-2026-33680 7.5
CVE-2026-33679 6.4