CVE-2025-69534Uncontrolled Resource Consumption in Markdown

CWE-400Uncontrolled Resource ConsumptionCWE-617Reachable AssertionCWE-248Uncaught Exception7 documents6 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 41.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Python-markdown MarkdownDebian Pypy3Debian Python2.7+4 more
Timeline
PublishedMar 5

Description

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

debiandebian/python2.7< python3.13 3.13.4-1 (forky)
debiandebian/python3.9< python3.13 3.13.4-1 (forky)
debiandebian/python3.11< python3.13 3.13.4-1 (forky)

🔴Vulnerability Details

3
OSV
Python-Markdown has an Uncaught Exception2026-03-05
OSV
CVE-2025-69534: Python-Markdown version 32026-03-05
GHSA
Python-Markdown has an Uncaught Exception2026-03-05

📋Vendor Advisories

2
Red Hat
python-markdown: denial of service via malformed HTML-like sequences2026-03-05
Debian
CVE-2025-69534: pypy3 - Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like se...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-69534 Impact, Exploitability, and Mitigation Steps | Wiz