CVE-2025-69534 in Python-Markdown

[Alan Coopersmith <alan.coopersmith () oracle com>]

https://www.cve.org/CVERecord?id=CVE-2025-69534 reports:

> CVE-2025-69534
> Published: 2026-03-05
> Updated: 2026-03-05
>
> Description
> -----------
>
> Python-Markdown version 3.8 contain a vulnerability where malformed
> HTML-like sequences can cause html.parser.HTMLParser to raise an
> unhandled AssertionError during Markdown parsing. Because
> Python-Markdown does not catch this exception, any application that
> processes attacker-controlled Markdown may crash. This enables remote,
> unauthenticated Denial of Service in web applications, documentation
> systems, CI/CD pipelines, and any service that renders untrusted
> Markdown. The issue was acknowledged by the vendor and fixed in
> version 3.8.1. This issue causes a remote Denial of Service in any
> application parsing untrusted Markdown, and can lead to Information
> Disclosure through uncaught exceptions.
>
> References
> ----------
>
>     https://github.com/Python-Markdown/markdown/issues/1534
>     https://github.com/Python-Markdown/markdown
>     https://github.com/Python-Markdown/markdown/actions/runs/15736122892

The comments in the linked GitHub issue though note that the root cause is
"a bug in the standard lib's HTMLParser which was just fixed last month (see
 cpython#77057)." and that they are just providing a workaround for older
Python versions without that fix yet.

https://github.com/python/cpython/issues/77057 appears to be fixed in
3.13.4 & 3.14.0b2, but doesn't have a security advisory that I've found.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris