CVE-2025-68142 – PyMdown Extensions versions before 10.16.1 cont... (How to Fix)

📋 TL;DR

PyMdown Extensions versions before 10.16.1 contain a ReDoS vulnerability in the figure caption extension that allows attackers to cause denial of service by submitting specially crafted malicious content. Systems that process untrusted user input without proper safeguards are affected. The vulnerability can cause long processing hangs when parsing malicious payloads.

💻 Affected Systems

Products:

PyMdown Extensions

Versions: All versions prior to 10.16.1

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the pymdownx.blocks.caption extension and processing untrusted user content

📦 What is this software?

Pymdown Extensions by Facelessuser

View all CVEs affecting Pymdown Extensions →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing system unavailability due to resource exhaustion from processing malicious payloads

🟠

Likely Case

Degraded performance and service disruption when processing malicious user content

🟢

If Mitigated

Minimal impact with proper timeouts and input validation in place

🌐 Internet-Facing: MEDIUM - Systems accepting user content without safeguards are vulnerable to DoS attacks

🏢 Internal Only: LOW - Internal systems typically process trusted content, reducing attack surface

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires submitting malicious content to systems processing markdown with the vulnerable extension

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.16.1

Vendor Advisory: https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq

Restart Required: No

Instructions:

1. Update PyMdown Extensions using pip: pip install --upgrade pymdown-extensions==10.16.1
2. Verify the update completed successfully
3. No restart required for Python applications

🔧 Temporary Workarounds

Disable vulnerable extension

all

Disable the pymdownx.blocks.caption extension until patching is possible

Modify your markdown configuration to remove or disable 'pymdownx.blocks.caption'

🧯 If You Can't Patch

Implement strict input validation and size limits on user-submitted content
Add processing timeouts and resource limits to markdown processing functions

🔍 How to Verify

Check if Vulnerable:

Check PyMdown Extensions version: pip show pymdown-extensions | grep Version

Check Version:

pip show pymdown-extensions | grep Version

Verify Fix Applied:

Verify version is 10.16.1 or higher: pip show pymdown-extensions | grep Version

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for markdown content
High CPU usage spikes during content processing
Timeout errors in markdown processing functions

Network Indicators:

Repeated submissions of large or complex markdown content
Patterns of content designed to trigger regex processing

SIEM Query:

source="application.logs" AND ("markdown processing" OR "pymdown") AND (duration>10s OR "timeout" OR "hang")

📊 Metadata

CVE ID: CVE-2025-68142

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-1333

EPSS Score: 0.07% exploit probability (21.7th percentile)

Published: December 16, 2025

Last Updated: February 3, 2026

🔗 References

https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8 Patch
https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq Exploit,Patch,Vendor Advisory
https://pypi.org/project/pymdown-extensions/10.16.1 Product,Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68142, you might also want to check these: