chore(deps): update dependency pymdown-extensions to v10.16.1 [security]

[renovate]

This PR contains the following updates:

Package	Update	Change	OpenSSF
pymdown-extensions	patch	==10.16 → ==10.16.1

---

PyMdown Extensions has a ReDOS bug in its Figure Capture extension

CVE-2025-68142 / GHSA-r6h4-mm7h-8pmq

More information

Details

Impact

This issue describes a ReDOS bug found within the figure caption extension (pymdownx.blocks.caption ).

In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted.

Patches

This issue is patched in Release 10.16.1.

Workarounds

Some possible workarounds

If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of pymdownx.blocks.caption could be avoided until the library is updated to 10.16.1+.

References

The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716.

Description

The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because this came through the normal issue flow, it was handled as a normal issue. In the future, PyMdown Extensions will ensure such issues, even if prematurely made public through the normal issue flow, are redirected through the typical security process.

The regular expression pattern in question is as follows:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

The POC was provided by @​ShangzhiXu

import re
import time

regex_pattern = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

for i in range(50, 500, 50):
    long_string = '1' * i + 'a'
    start_time = time.time()
    match = re.match(regex_pattern, long_string)
    end_time = time.time()
    print(f"long_string execution time: {end_time - start_time:.6f} s")

The issue with the above pattern is that . was used, which accepts any character when we meant to use \.. The fix was to update the pattern to:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')

Relevant PR with fix: https://github.com/facelessuser/pymdown-extensions/pull/2717

Version(s) & System Info

• Operating System: Any
• Python Version: Any

Severity

• CVSS Score: 2.7 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

References

• https://github.com/facelessuser/pymdown-extensions/security/advisories/GHSA-r6h4-mm7h-8pmq
• https://nvd.nist.gov/vuln/detail/CVE-2025-68142
• https://github.com/facelessuser/pymdown-extensions/commit/b50d15a56850ed1408a284bba81cc019c6bd72e8
• https://github.com/facelessuser/pymdown-extensions
• https://pypi.org/project/pymdown-extensions/10.16.1

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

v10.16.1: 10.6.1

Compare Source

10.16.1

• FIX: Inefficient regular expression pattern for figure caption numbers.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Overview

Image reference	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test
- digest	e5ddd5b8b4b2	31f0592ee5e1
- tag	1.21.4	test
- stream	latest
- provenance	221f80c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	133 MB	144 MB (+10 MB)
- packages	170	177 (+7)
Base Image	alpine:3.22.0 also known as: • 3 • 3.22 • latest	alpine:3 also known as: • 3.22 • latest
- vulnerabilities

Policies (0 improved, 2 worsened, 3 missing data)

Policy Name	djaytan/papermc-server:1.21.4	djaytan/papermc-server:test	Change	Standing
No unapproved base images	⚠️ 1	❓ No data
Default non-root user	✅	✅		No Change
No AGPL v3 licenses	✅	✅		No Change
No fixable critical or high vulnerabilities	⚠️ 14	⚠️ 15	+1	Worsened
No high-profile vulnerabilities	✅	✅		No Change
No outdated base images	✅	❓ No data
SonarQube quality gates passed	❓ No data	❓ No data
Supply chain attestations	✅	⚠️ 2	+2	Worsened

Packages and Vulnerabilities (10 package changes and 5 vulnerability changes)

• ➕ 8 packages added
• ➖ 1 packages removed
• ♾️ 1 packages changed
• 164 packages unchanged

• ❗ 5 vulnerabilities added

Changes for packages of type apk (8 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➕	alpine-base		3.22.0-r0
➕	ca-certificates		20241121-r2
➕	gcc		14.2.0-r6
♾️	libxml2	2.13.9-r0	2.13.8-r0
			Added vulnerabilities (5):
➕	ncurses		6.5_p20250503-r0
➕	openssl		3.5.0-r0
			Added vulnerabilities (4):
➕	pax-utils		1.3.8-r1
➕	xz		5.8.1-r0

Changes for packages of type generic (2 changes)

	Package	Version djaytan/papermc-server:1.21.4	Version djaytan/papermc-server:test
➖	openjdk	21.0.7
➕	openjdk		21.0.7

[github-actions]

🔍 Vulnerabilities of djaytan/papermc-server:test

📦 Image Reference djaytan/papermc-server:test

digest	sha256:31f0592ee5e1de1930b20901f3f4ec4e9b3e0cbe8907b8381533e718752d478b
vulnerabilities
platform	linux/amd64
size	144 MB
packages	177

📦 Base Image alpine:3

also known as	3.22 3.22.0 latest
digest	sha256:08001109a7d679fe33b04fa51d681bd40b975d8f5cea8c3ef6c0eccb6a7338ce
vulnerabilities

libxml2 2.13.8-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.459% EPSS Percentile 63rd percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.263% EPSS Percentile 49th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.584% EPSS Percentile 68th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.141% EPSS Percentile 35th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.017% EPSS Percentile 3rd percentile Description

stdlib 1.24.4 (golang) pkg:golang/[email protected] Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.016% EPSS Percentile 3rd percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 6th percentile Description The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 6th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.015% EPSS Percentile 3rd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains. Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.021% EPSS Percentile 5th percentile Description An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com. Affected range >=1.24.0 <1.24.6 Fixed version 1.24.6 EPSS Score 0.020% EPSS Percentile 5th percentile Description If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.025% EPSS Percentile 6th percentile Description The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.019% EPSS Percentile 4th percentile Description When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.029% EPSS Percentile 7th percentile Description Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.033% EPSS Percentile 9th percentile Description Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.025% EPSS Percentile 6th percentile Description The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

org.apache.commons/commons-compress 1.5 (maven) pkg:maven/org.apache.commons/[email protected] Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.802% EPSS Percentile 73rd percentile Description When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.437% EPSS Percentile 80th percentile Description When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package. Improper Handling of Length Parameter Inconsistency Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 1.893% EPSS Percentile 83rd percentile Description When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Excessive Iteration Affected range <1.21 Fixed version 1.21 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.843% EPSS Percentile 74th percentile Description When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package. Loop with Unreachable Exit Condition ('Infinite Loop') Affected range >=1.3 <1.26.0 Fixed version 1.26.0 CVSS Score 5.9 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H EPSS Score 0.018% EPSS Percentile 4th percentile Description Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.

openssl 3.5.0-r0 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.026% EPSS Percentile 6th percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.016% EPSS Percentile 3rd percentile Description Affected range <3.5.1-r0 Fixed version 3.5.1-r0 EPSS Score 0.015% EPSS Percentile 2nd percentile Description Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.027% EPSS Percentile 7th percentile Description

com.google.protobuf/protobuf-java 4.26.1 (maven) pkg:maven/com.google.protobuf/[email protected] Improper Input Validation Affected range >=4.0.0-RC1 <4.27.5 Fixed version 4.27.5 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.085% EPSS Percentile 25th percentile Description Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [email protected] Affected versions: This issue affects all versions of both the Java full and lite Protobuf runtimes, as well as Protobuf for Kotlin and JRuby, which themselves use the Java Protobuf runtime. Severity CVE-2024-7254 High CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication) This is a potential Denial of Service. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker. Proof of Concept For reproduction details, please refer to the unit tests (Protobuf Java LiteTest and CodedInputStreamTest) that identify the specific inputs that exercise this parsing weakness. Remediation and Mitigation We have been working diligently to address this issue and have released a mitigation that is available now. Please update to the latest available versions of the following packages: protobuf-java (3.25.5, 4.27.5, 4.28.2) protobuf-javalite (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin (3.25.5, 4.27.5, 4.28.2) protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2) com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)

golang.org/x/net 0.34.0 (golang) pkg:golang/golang.org/x/[email protected] Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <0.38.0 Fixed version 0.38.0 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N EPSS Score 0.019% EPSS Percentile 4th percentile Description The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. , , etc contexts). Misinterpretation of Input Affected range <0.36.0 Fixed version 0.36.0 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L EPSS Score 0.023% EPSS Percentile 5th percentile Description Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.

commons-lang/commons-lang 2.6 (maven) pkg:maven/commons-lang/[email protected] Uncontrolled Recursion Affected range >=2.0 <=2.6 Fixed version Not Fixed CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N EPSS Score 0.014% EPSS Percentile 2nd percentile Description Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

busybox 1.37.0-r18 (apk) pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.22 Affected range <1.37.0-r20 Fixed version 1.37.0-r20 EPSS Score 0.017% EPSS Percentile 3rd percentile Description Affected range <1.37.0-r20 Fixed version 1.37.0-r20 EPSS Score 0.020% EPSS Percentile 4th percentile Description