CVE-2025-68142

MEDIUM
Published Dec 16, 2025 Modified Feb 3, 2026 CWE-1333

Description

PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they're able to upgrade.

CVSS v3.1 Score

5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Weakness Type (CWE)

CWE-1333 CWE-1333

Affected Products

Vendor Product
facelessuser pymdown_extensions

References

Frequently Asked Questions

What is CVE-2025-68142? +
PyMdown Extensions is a set of extensions for the `Python-Markdown` markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension (`pymdownx.blocks.caption`). In systems that take unchecked user content, this could cause long hanges when processing the data if a malicious payload was crafted. This issue is patched in Release 10.16.1. As a workaround, those who process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems may avoid the use of `pymdownx.blocks.caption` until they're able to upgrade. It has a CVSS v3.1 base score of 5.3 (MEDIUM).
How severe is CVE-2025-68142? +
CVE-2025-68142 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance.
What products are affected by CVE-2025-68142? +
CVE-2025-68142 affects products from facelessuser, specifically: pymdown_extensions. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-68142? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-48058

PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a …
CVE-2025-48059

PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 …
CVE-2025-6998

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service …
CVE-2025-54363

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression …
CVE-2025-54364

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression …
CVE-2025-58451

Cattown is a JavaScript markdown parser. Versions prior to 1.0.2 used regular expressions with inefficient, potentially exponential worst-case complexity. This …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-68142 — free, no signup required.

Start Free Scan