Intel

AIKIDO-2026-425066

markdown-it-py is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 2 days ago

53

Medium Risk

This Affects:

PYTHONmarkdown-it-py
0.1.0 - 4.0.0
Fixed in 4.1.0
Are you affected? Scan for Free

TL;DR

markdown-it-py collapses runs of adjacent inline text tokens into a single string in the fragments_join inline rule and the text_join core rule. Before the fix, both rules rebuilt the merged content with repeated pairwise a + b string concatenation inside a loop, which is quadratic in the length of each contiguous run. A crafted Markdown document containing very long runs of adjacent text or delimiter tokens, such as tens of thousands of intraword underscores on one line, forces this quadratic work and drives excessive CPU time and very large peak memory allocation while rendering. The fix collapses each contiguous run in a single "".join(...) pass, restoring linear time and memory behavior.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

markdown-it-py is vulnerable to Denial of Service (DoS) in versions 0.1.0 - 4.0.0.

How to fix this

Upgrade the markdown-it-py library to the patch version.