Miggo Logo
Miggo Vulnerability Database
CVE-2022-34749

CVE-2022-34749: Mistune vulnerable to catastrophic backtracking

8.6

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-34749
GHSA ID
GHSA-fw3v-x4f2-v673
EPSS Score
0.2714%
CWE
CWE-1333
Published
7/26/2022
Updated
9/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mistunepip>= 2.0.0a1, < 2.0.32.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the ASTERISK_EMPHASIS regex pattern in inline_parser.py. The commit diff shows this regex was modified to prevent catastrophic backtracking by replacing the vulnerable '(?:\[\]|[^])' pattern with a more efficient '(?:(?:(?<!\)(?:\\)*)|[^*])+' and adding a negative lookbehind assertion. The removed test cases in non-commonmark.txt specifically tested these edge cases of nested emphasis markers, confirming this was the attack vector. The CWE-1333 classification and commit message explicitly reference this regex as the fix target.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In Mistun* t*rou** *.*.*, support o* inlin* m*rkup is impl*m*nt** *y usin* r**ul*r *xpr*ssions t**t **n involv* * *i** *mount o* ***ktr**kin* on **rt*in **** **s*s. T*is ****vior is *ommonly n*m** **t*strop*i* ***ktr**kin*.

Reasoning

T** vuln*r**ility st*ms *rom t** *ST*RISK_*MP**SIS r***x p*tt*rn in inlin*_p*rs*r.py. T** *ommit *i** s*ows t*is r***x w*s mo*i*i** to pr*v*nt **t*strop*i* ***ktr**kin* *y r*pl**in* t** vuln*r**l* '(?:\\[\\*]|[^*])*' p*tt*rn wit* * mor* ***i*i*nt '(?