DEBIAN-CVE-2025-69534
Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:12 | python3.11 | 3.11.2-6, 3.11.2-6+deb12u6, 3.11.3-1 |
| Debian:14 | python3.13 | 0, 0 |
| Debian:11 | python2.7 | 2.7.18-13.1, 2.7.18-13, 2.7.18-12 |
| Debian:13 | pypy3 | 0, 7.3.19+dfsg-2, 7.3.20+dfsg-1 |
| Debian:11 | python3.9 | 3.9.2-1, 3.9.2-1, 3.9.2-1 |
| Debian:11 | pypy3 | 7.3.17+dfsg, 0, 7.3.10~rc3+dfsg-1 |
| Debian:12 | pypy3 | 7.3.17+dfsg, 7.3.12, 7.3.12 |
| Debian:14 | pypy3 | 0, 7.3.20+dfsg-3, 7.3.20+dfsg-4 |
| Debian:13 | python3.13 | 0, 0 |
Timeline
- Mar 5, 2026 CVE Published
- Apr 28, 2026 CVE Updated