https://www.cve.org/CVERecord?id=CVE-2025-69534 reports:
CVE-2025-69534
Published: 2026-03-05
Updated: 2026-03-05
Description
-----------
Python-Markdown version 3.8 contain a vulnerability where malformed
HTML-like sequences can cause html.parser.HTMLParser to raise an
unhandled AssertionError during Markdown parsing. Because
Python-Markdown does not catch this exception, any application that
processes attacker-controlled Markdown may crash. This enables remote,
unauthenticated Denial of Service in web applications, documentation
systems, CI/CD pipelines, and any service that renders untrusted
Markdown. The issue was acknowledged by the vendor and fixed in
version 3.8.1. This issue causes a remote Denial of Service in any
application parsing untrusted Markdown, and can lead to Information
Disclosure through uncaught exceptions.
References
----------
https://github.com/Python-Markdown/markdown/issues/1534
https://github.com/Python-Markdown/markdown
https://github.com/Python-Markdown/markdown/actions/runs/15736122892
The comments in the linked GitHub issue though note that the root cause is
"a bug in the standard lib's HTMLParser which was just fixed last month (see
cpython#77057)." and that they are just providing a workaround for older
Python versions without that fix yet.
https://github.com/python/cpython/issues/77057 appears to be fixed in
3.13.4 & 3.14.0b2, but doesn't have a security advisory that I've found.
--
-Alan Coopersmith- [email protected]
Oracle Solaris Engineering - https://blogs.oracle.com/solaris
