CVE-2025-69534

Published: March 10, 2026Last modified: March 13, 2026

Description

Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.

Severity score breakdown

Notes

python3 in 25 LTS and Stream is not affected because its current version 3.12.12 contains the following backported patch: https://github.com/python/cpython/commit/dcf24768c918c41821cda6fe6a1aa20ce26545dd Which also brings the change from the commit that fixes the current CVE: https://github.com/python/cpython/commit/76c0b01bc401c3e976011bbc69cec56dbebe0ad5 Specifically: https://github.com/python/cpython/commit/dcf24768c918c41821cda6fe6a1aa20ce26545dd#diff-da26f443eb16696a27ae56d506f3350528284855872c7fc98cb5a9231550ead8L242

Status

References

• http://www.openwall.com/lists/oss-security/2026/03/06/4
• https://github.com/Python-Markdown/markdown
• https://github.com/Python-Markdown/markdown/actions/runs/15736122892
• https://github.com/Python-Markdown/markdown/issues/1534