Miggo Logo
Miggo Vulnerability Database
CVE-2023-26303

CVE-2023-26303: markdown-it-py Denial of Service vulnerability

5.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-26303
GHSA ID
GHSA-vrjv-mxr7-vjf8
EPSS Score
0.10249%
CWE
CWE-173
Published
2/23/2023
Updated
9/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
markdown-it-pypip< 2.2.02.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of null assertions in multiple rendering functions. The GitHub patch shows critical replacements of 'assert' statements with conditional checks in these functions. Assertions like 'assert token.children is not None' and 'assert token.attrs contains alt' could be forcibly failed with malicious input, triggering uncaught AssertionErrors and crashing the application. The functions were directly modified in the security fix commit to remove these dangerous assertions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**ni*l o* s*rvi** *oul* ** **us** to m*rk*own-it-py, ***or* v*.*.*, i* *n *tt**k*r w*s *llow** to *or** null *ss*rtions wit* sp**i*lly *r**t** input.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* null *ss*rtions in multipl* r*n**rin* *un*tions. T** *it*u* p*t** s*ows *riti**l r*pl***m*nts o* '*ss*rt' st*t*m*nts wit* *on*ition*l ****ks in t**s* *un*tions. *ss*rtions lik* '*ss*rt tok*n.**il*r*