markdown2 1.0.1.19 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the markdown2 package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `_sorta_html_tokenize_re` regex used in the HTML tokenizer due to improperly constraining quoted attribute values (`".*?"`), leading to catastrophic backtracking and excessive CPU consumption when processing inputs with nested or repeated incomplete tags. A remote unauthenticated attacker can exploit this vulnerability by submitting markdown containing repeated `<p m="1"` tags followed by spaces (e.g., `<p m="1"<p m="1"…`), resulting in application hang or Denial of Service due to excessive processing time. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `markdown2` to version 2.5.4 or higher.	[,2.5.4)
M Cross-site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in `safe_mode` due to improper handling of incomplete HTML tags. The `_encode_incomplete_tags()` function fails to properly check for auto links, allowing unescaped incomplete tags to pass through and be rendered. A remote unauthenticated attacker can exploit this vulnerability by submitting markdown containing incomplete tags with malicious attributes (e.g., `<img src=x onerror=alert("xss")//>`), resulting in arbitrary JavaScript execution in the rendered HTML. How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.5.4 or higher.	[,2.5.4)
M Cross-site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the _do_link_patterns method within the Markdown class in `lib/markdown2.py` file, which insufficiently sanitizes image URLs. An attacker can exploit this by crafting specially formatted markdown input containing malicious image URLs. How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.5.1 or higher.	[,2.5.1)
M Cross-site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) within the Markdown class in lib/markdown2.py, which insufficiently sanitizes attribute values. An attacker can exploit this by crafting specially formatted markdown input containing HTML tags with malicious attributes. How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.5.1 or higher.	[,2.5.1)
M Cross-site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization for nested incomplete tags. How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.4.4 or higher.	[,2.4.4)
M Regular Expression Denial of Service (ReDoS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regex `\\(?=\S)(.+?[_])(?<=\S)\\`. Exploiting this vulnerability will result in catastrophic backtracking How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `markdown2` to version 2.4.11 or higher.	[,2.4.11)
M Cross-site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which bypass on any `HTML` element by using a new line that does not match to `.+`. How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.4.4 or higher.	[0,2.4.4)
M Regular Expression Denial of Service (ReDoS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regex via the `_prepare_pyshell_blocks` function. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `markdown2` to version 2.4.3 or higher.	[,2.4.3)
M Regular Expression Denial of Service (ReDoS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via auto linking url. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `markdown2` to version 2.4.2 or higher.	[,2.4.2)
H Regular Expression Denial of Service (ReDoS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `_do_headers` function. PoC: `import markdown2 markdown2.markdown(' '*100000+'$')` How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `markdown2` to version 2.4.1 or higher.	[,2.4.1)
H Regular Expression Denial of Service (ReDoS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, it is possible to make `markdown2` get stuck processing for an exponential time. PoC markdown2.markdown('[#a' + ' ' * 3456, extras=['numbering']) markdown2.markdown('```' + '\n' * 3456, extras=['fenced-code-blocks']) markdown2.markdown('--' + ' ' 3456, use_file_vars=True) How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `markdown2` to version 2.4.0 or higher.	[1.0.1.18,2.4.0)
H Cross Site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross Site Scripting (XSS) via `link_text` in `markdown2.py` How to fix Cross Site Scripting (XSS)? Upgrade `markdown2` to version 2.3.9 or higher.	[,2.3.9)
H Cross-site Scripting (XSS) markdown2 is a fast and complete Python implementation of Markdown. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Element names are mishandled unless a `\w+` match succeeds. For example, an attack might use `elementname@` or `elementname-` with an `onclick` attribute. How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.3.9 or higher.	[0,2.3.9)
M Cross-site Scripting (XSS) `markdown2` is A fast and complete Python implementation of Markdown. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks via the `safe_mode` feature, which is supposed to sanitize user input against XSS. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag. PoC by Vineet Kumar >>> from markdown2 import markdown as mark >>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode=True) u'<p>[HTML_REMOVED]</p>\n' >>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode=True) # Please notice the space at end of string. u'<p><img src="" onerror=alert(/XSS/) </p>\n' >>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode="escape") u'<p><img src="" onerror=alert(/XSS/)></p>\n' >>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode="escape") u'<p><img src="" onerror=alert(/XSS/) </p>\n' How to fix Cross-site Scripting (XSS)? Upgrade `markdown2` to version 2.3.7 or higher.	[,2.3.7)

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the _sorta_html_tokenize_re regex used in the HTML tokenizer due to improperly constraining quoted attribute values (".*?"), leading to catastrophic backtracking and excessive CPU consumption when processing inputs with nested or repeated incomplete tags. A remote unauthenticated attacker can exploit this vulnerability by submitting markdown containing repeated <p m="1" tags followed by spaces (e.g., <p m="1"<p m="1"…), resulting in application hang or Denial of Service due to excessive processing time.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.5.4 or higher.

[,2.5.4)

Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in safe_mode due to improper handling of incomplete HTML tags. The _encode_incomplete_tags() function fails to properly check for auto links, allowing unescaped incomplete tags to pass through and be rendered. A remote unauthenticated attacker can exploit this vulnerability by submitting markdown containing incomplete tags with malicious attributes (e.g., <img src=x onerror=alert("xss")//>), resulting in arbitrary JavaScript execution in the rendered HTML.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.5.4 or higher.

[,2.5.4)

Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the _do_link_patterns method within the Markdown class in lib/markdown2.py file, which insufficiently sanitizes image URLs. An attacker can exploit this by crafting specially formatted markdown input containing malicious image URLs.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.5.1 or higher.

[,2.5.1)

Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) within the Markdown class in lib/markdown2.py, which insufficiently sanitizes attribute values. An attacker can exploit this by crafting specially formatted markdown input containing HTML tags with malicious attributes.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.5.1 or higher.

[,2.5.1)

Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization for nested incomplete tags.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.4.4 or higher.

[,2.4.4)

Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regex \*\*(?=\S)(.+?[*_]*)(?<=\S)\*\*. Exploiting this vulnerability will result in catastrophic backtracking

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.11 or higher.

[,2.4.11)

Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) which bypass on any HTML element by using a new line that does not match to .+.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.4.4 or higher.

[0,2.4.4)

Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regex via the _prepare_pyshell_blocks function.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.3 or higher.

[,2.4.3)

Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via auto linking url.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.2 or higher.

[,2.4.2)

Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the _do_headers function.

PoC:

import markdown2

markdown2.markdown(' '*100000+'$')

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.1 or higher.

[,2.4.1)

Regular Expression Denial of Service (ReDoS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, it is possible to make markdown2 get stuck processing for an exponential time.

PoC

markdown2.markdown('[#a' + ' ' * 3456, extras=['numbering'])

markdown2.markdown('```' + '\n' * 3456, extras=['fenced-code-blocks'])

markdown2.markdown('-*-' + ' ' * 3456, use_file_vars=True)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade markdown2 to version 2.4.0 or higher.

[1.0.1.18,2.4.0)

Cross Site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross Site Scripting (XSS) via link_text in markdown2.py

How to fix Cross Site Scripting (XSS)?

Upgrade markdown2 to version 2.3.9 or higher.

[,2.3.9)

Cross-site Scripting (XSS)

markdown2 is a fast and complete Python implementation of Markdown.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). Element names are mishandled unless a \w+ match succeeds. For example, an attack might use elementname@ or elementname- with an onclick attribute.

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.3.9 or higher.

[0,2.3.9)

Cross-site Scripting (XSS)

markdown2 is A fast and complete Python implementation of Markdown.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks via the safe_mode feature, which is supposed to sanitize user input against XSS. With a crafted payload, XSS can be triggered, as demonstrated by omitting the final '>' character from an IMG tag.

PoC by Vineet Kumar

>>> from markdown2 import markdown as mark
>>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode=True)
u'<p>[HTML_REMOVED]</p>\n'
>>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode=True) # Please notice the space at end of string.
u'<p><img src="" onerror=alert(/XSS/) </p>\n'
>>> mark('<img src="" onerror=alert(/XSS/)>', safe_mode="escape")
u'<p>&lt;img src="" onerror=alert(/XSS/)&gt;</p>\n'
>>> mark('<img src="" onerror=alert(/XSS/) ', safe_mode="escape")
u'<p><img src="" onerror=alert(/XSS/) </p>\n'

How to fix Cross-site Scripting (XSS)?

Upgrade markdown2 to version 2.3.7 or higher.

[,2.3.7)

markdown2@1.0.1.19 vulnerabilities

A fast and complete Python implementation of Markdown

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC:

PoC

PoC by Vineet Kumar