chore(deps): update dependency pymdown-extensions to v10.16.1 [security] #1635

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into main from renovate/pypi-pymdown-extensions-vulnerability

Contributor

renovate bot commented Dec 16, 2025

This PR contains the following updates:

Package	Change	Age	Confidence
pymdown-extensions	`==10.3.1` -> `==10.16.1`

GitHub Vulnerability Alerts

CVE-2025-68142

Impact

This issue describes a ReDOS bug found within the figure caption extension (pymdownx.blocks.caption ).

In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted.

Patches

This issue is patched in Release 10.16.1.

Workarounds

Some possible workarounds

If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of pymdownx.blocks.caption could be avoided until the library is updated to 10.16.1+.

References

The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716.

Description

The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because this came through the normal issue flow, it was handled as a normal issue. In the future, PyMdown Extensions will ensure such issues, even if prematurely made public through the normal issue flow, are redirected through the typical security process.

The regular expression pattern in question is as follows:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

The POC was provided by @ShangzhiXu

import re
import time

regex_pattern = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

for i in range(50, 500, 50):
    long_string = '1' * i + 'a'
    start_time = time.time()
    match = re.match(regex_pattern, long_string)
    end_time = time.time()
    print(f"long_string execution time: {end_time - start_time:.6f} s")

The issue with the above pattern is that . was used, which accepts any character when we meant to use \.. The fix was to update the pattern to:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')

Relevant PR with fix: https://github.com/facelessuser/pymdown-extensions/pull/2717

Version(s) & System Info

Operating System: Any
Python Version: Any

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

`v10.16.1`: 10.6.1

10.16.1

FIX: Inefficient regular expression pattern for figure caption numbers.

`v10.16`

10.16

NEW: Add early support for Python 3.14.
NEW: Drop support for Python 3.8.
NEW: Snippets: Added max_retries and backoff_retries options to configure new retry logic for HTTP 429
errors (Too Many Requests client error).
NEW: Caption: Prefix templates are now preserved exactly as specified allowing the insertion of HTML tags if
desired.
FIX: Caption: Fix issue where manual numbers in auto were not respected appropriately.

`v10.15`

10.15.0

NEW: SuperFences: Add relaxed_headers option which can tolerate bad content in the fenced code header. When
enabled, code blocks with bad content in the header will likely still convert into code blocks, often respecting
the specified language.
NEW: Add type hints to the Blocks interface and a few additional files.
FIX: Blocks: Fix some corner cases of nested blocks with lists.
FIX: Tab and Tabbed: Fix a case where tabs could fail if combine_header_slug was enabled and there was no
header.

`v10.14.3`

10.14.3

FIX: Blocks: An empty, raw block type should not cause an error.

`v10.14.2`

10.14.2

FIX: Blocks: Fix some corner cases with md_in_html.

`v10.14.1`

10.14.1

FIX: MagicLink: Ensure that repo names that start with . are handled correctly.
FIX: FancyLists: Fix case were lists could be falsely created when a line started with . or ).

`v10.14`

10.14

NEW: Blocks.HTML: Add new custom option to specify tags and the assumed handling for them when automatic mode
is assumed. This can also be used to override the handling for recognized tags with automatic handling.
FIX: Fix tests to pass with Pygments 2.19+.

`v10.13`

10.13

NEW: Snippets: Allow multiple line numbers or line number blocks separated by ,.
NEW: Snippets: Allow using a negative index for number start indexes and end indexes. Negative indexes are converted to positive indexes based on the number of lines in the snippet.
FIX: Snippets: Properly capture empty newline at end of file.
FIX: Snippets: Fix issue where when non sections of files are included, section labels are not stripped.
FIX: BetterEm: Fixes for complex cases.
FIX: Blocks: More consistent handling of empty newlines in block processor extensions.

`v10.12`

10.12

NEW: Blocks: Blocks extensions no longer considered in beta.
NEW: Details: Details is marked as "legacy" in documentation in favor of the new pymdownx.blocks.details approach.
NEW: Tabbed: Tabbed is marked as "legacy" in documentation in favor of the new pymdownx.blocks.tab approach.
NEW: Caption: Add new "blocks" style extension called Caption which helps with specifying figures with captions.
NEW: Emoji: Add a new strict option that will raise an exception if an emoji is used whose name has changed,
removed, or never existed.
FIX: Emoji: Emoji links should be generated such that they point to the new CDN version.

`v10.11.2`

10.11.2

FIX: SuperFences: Fix a regression where certain patterns could cause a hang.

`v10.11.1`

10.11.1

Fix: SuperFences: Fix regression where an omitted language in conjunction with options in the fenced header
can cause a fence to not be parsed.

`v10.11`

10.11

NEW: SuperFences: Allow fenced code to be parsed in the form ```lang {.class #id}.

`v10.10.2`

10.10.2

FIX: BetterEm: Add better support for *em, **em,strong*** and _em, __em,strong___ cases.
FIX: Caret: Add better support for *sup, **sup,ins***.
FIX: Tilde: Add better support for *sub, **sub,del***.

`v10.10.1`

10.10.1

FIX: FancyLists: Remove a mistaken semicolon from injected classes.

`v10.10`

10.10

NEW: FancyLists: Add new FancyLists extension.
NEW: MagicLink: Change social links to support x instead of twitter. twitter is still recognized but is
now deprecated and will be removed at a future time.
NEW: Emoji: Update Twemoji data to the latest.
FIX: PathConverter: Fixes for latest changes in Python regarding urlunparse.

`v10.9`

10.9

NEW: Officially support Python 3.13.
FIX: Snippets: Better handling of cases where URL snippet requests contain no header length.

`v10.8.1`

10.8.1

FIX: Snippets: Fix snippet line range with a start of line 1.

`v10.8`

10.8

NEW: Require Python Markdown 3.6+.
FIX: Fix some test cases.
FIX: Fix warnings due to recent changes in Python Markdown.

`v10.7.1`

10.7.1

FIX: SmartSymbols: Ensure symbols are properly translated in table of content tokens.

`v10.7`

10.7

NEW: Emoji: Update Twemoji and Gemoji data to latest.
NEW: Emoji: Due to recent Gemoji update, non-standard emoji are no longer indexed. So emoji such as :octocat:
are no longer resolved.
NEW: Highlight: Added new option default_lang which will cause code blocks with no language specifier to be
highlighted with the specified default language instead of plain text. This affects indented code blocks and code
blocks defined with SuperFences.
NEW: InlineHilite: style_plain_text can be specified with a language string (in addition to its previous
boolean requirement) to treat inline code blocks with no explicit language specifier with a specific default
language.

`v10.6`

10.6

NEW: MagicLink: Allow configuring custom repository providers based off the existing providers.

`v10.5`

10.5

NEW: Blocks: Admonitions and Details now allow configuring custom block classes and default titles.
FIX: Keys: Ensure that Keys does not parse base64 encoded URLs.

`v10.4`

10.4

NEW: Snippets: Allow PathLike objects for base_path to better support interactions with MkDocs.
FIX: Block Admonitions: Empty titles should be respected.
FIX: Block Details: Empty summary should be respected.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency pymdown-extensions to v10.16.1 [security]

fa6b257

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet