CVE-2025-69534

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.

References

Affected packages

Git / github.com/Python-Markdown/markdown

Affected ranges

Type

GIT

Repo

https://github.com/Python-Markdown/markdown

Events

Introduced

Last affected

b34e1d03387be771aa626241fe56f8f0c34243f2

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.8"
        }
    ]
}

Affected versions

1.*

1.7_Final

2.*

2.0-Final

2.0-alpha

2.0-beta

2.0-rc1

2.0.1

2.0.3

2.1.0.alpha

2.1.0.beta

2.1.0.final

2.1.1.final

2.2.0.alpha

2.2.0.final

2.2.1.final

2.3.1.final

2.3.final

2.4-final

2.4.1-final

2.5-final

2.5.1-final

2.5.2-final

2.6-final

2.6.1-final

2.6.10

2.6.11

2.6.2-final

2.6.3-final

2.6.4-final

2.6.5-final

2.6.6-final

2.6.7-final

2.6.8-final

2.6.9

3.*

3.0

3.0.1

3.1

3.1.1

3.2

3.2.1

3.2.2

3.3

3.3.1

3.3.2

3.3.3

3.3.4

3.3.5

3.3.6

3.3.7

3.4

3.4.1

3.4.2

3.4.3

3.4.4

3.5

3.5.1

3.5.2

3.6

3.7

3.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-69534.json"