Miggo Logo
Miggo Vulnerability Database
CVE-2025-46656

CVE-2025-46656:
markdownify allows large headline prefixes such as <h9999999>, which causes memory consumption

2.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-46656
GHSA ID
GHSA-7mpr-5m44-h73r
EPSS Score
0.06416%
CWE
CWE-1284
Published
4/27/2025
Updated
4/28/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
markdownifypip< 0.14.10.14.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description states that large headline prefixes (e.g., <h9999999>) cause memory consumption. The provided commit 959561879693bf4a576f99c6733b50b01186aa08 directly addresses this issue. The diff for markdownify/__init__.py shows modifications within the convert_hn method of the MarkdownConverter class. Specifically, a line n = max(1, min(6, n)) was added. This line sanitizes the input n (the heading level), which was previously used without validation. Therefore, convert_hn is the function that processed the unsanitized, potentially very large heading level, making it the vulnerable function prior to this patch. The full name as it would appear in a profiler would include the class and module, hence markdownify.MarkdownConverter.convert_hn.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pyt*on-m*rk*owni*y (*k* m*rk*owni*y) ***or* *.**.* *llows l*r** ****lin* pr**ix*s su** *s <********> in ***ition to <**> t*rou** <**>. T*is **us*s m*mory *onsumption.

Reasoning

T** vuln*r**ility **s*ription st*t*s t**t l*r** ****lin* pr**ix*s (*.*., <********>) **us* m*mory *onsumption. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is issu*. T** *i** *or `m*rk*owni*y/__init__.py` s*ows