chore: Update dependency pymdown-extensions to v10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pymdown-extensions	==9.7 → ==10.16.1

GitHub Vulnerability Alerts

CVE-2023-32309

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal.
The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

PoC

import markdown

payload = "--8<-- \"/etc/passwd\""
html = markdown.markdown(payload, extensions=['pymdownx.snippets'])

print(html)

Impact

Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users.

It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.

Suggestion

Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.

CVE-2025-68142

Impact

This issue describes a ReDOS bug found within the figure caption extension (pymdownx.blocks.caption ).

In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted.

Patches

This issue is patched in Release 10.16.1.

Workarounds

Some possible workarounds

If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of pymdownx.blocks.caption could be avoided until the library is updated to 10.16.1+.

References

The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716.

Description

The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because this came through the normal issue flow, it was handled as a normal issue. In the future, PyMdown Extensions will ensure such issues, even if prematurely made public through the normal issue flow, are redirected through the typical security process.

The regular expression pattern in question is as follows:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

The POC was provided by @​ShangzhiXu

import re
import time

regex_pattern = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

for i in range(50, 500, 50):
    long_string = '1' * i + 'a'
    start_time = time.time()
    match = re.match(regex_pattern, long_string)
    end_time = time.time()
    print(f"long_string execution time: {end_time - start_time:.6f} s")

The issue with the above pattern is that . was used, which accepts any character when we meant to use \.. The fix was to update the pattern to:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')

Relevant PR with fix: https://github.com/facelessuser/pymdown-extensions/pull/2717

Version(s) & System Info

• Operating System: Any
• Python Version: Any

---

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

v10.16.1: 10.6.1

Compare Source

10.16.1

• FIX: Inefficient regular expression pattern for figure caption numbers.

v10.16

Compare Source

10.16

• NEW: Add early support for Python 3.14.
• NEW: Drop support for Python 3.8.
• NEW: Snippets: Added max_retries and backoff_retries options to configure new retry logic for HTTP 429
  errors (Too Many Requests client error).
• NEW: Caption: Prefix templates are now preserved exactly as specified allowing the insertion of HTML tags if
  desired.
• FIX: Caption: Fix issue where manual numbers in auto were not respected appropriately.

v10.15

Compare Source

10.15.0

• NEW: SuperFences: Add relaxed_headers option which can tolerate bad content in the fenced code header. When
  enabled, code blocks with bad content in the header will likely still convert into code blocks, often respecting
  the specified language.
• NEW: Add type hints to the Blocks interface and a few additional files.
• FIX: Blocks: Fix some corner cases of nested blocks with lists.
• FIX: Tab and Tabbed: Fix a case where tabs could fail if combine_header_slug was enabled and there was no
  header.

v10.14.3

Compare Source

10.14.3

• FIX: Blocks: An empty, raw block type should not cause an error.

v10.14.2

Compare Source

10.14.2

• FIX: Blocks: Fix some corner cases with md_in_html.

v10.14.1

Compare Source

10.14.1

• FIX: MagicLink: Ensure that repo names that start with . are handled correctly.
• FIX: FancyLists: Fix case were lists could be falsely created when a line started with . or ).

v10.14

Compare Source

10.14

• NEW: Blocks.HTML: Add new custom option to specify tags and the assumed handling for them when automatic mode
  is assumed. This can also be used to override the handling for recognized tags with automatic handling.
• FIX: Fix tests to pass with Pygments 2.19+.

v10.13

Compare Source

10.13

• NEW: Snippets: Allow multiple line numbers or line number blocks separated by ,.
• NEW: Snippets: Allow using a negative index for number start indexes and end indexes. Negative indexes are converted to positive indexes based on the number of lines in the snippet.
• FIX: Snippets: Properly capture empty newline at end of file.
• FIX: Snippets: Fix issue where when non sections of files are included, section labels are not stripped.
• FIX: BetterEm: Fixes for complex cases.
• FIX: Blocks: More consistent handling of empty newlines in block processor extensions.

v10.12

Compare Source

10.12

• NEW: Blocks: Blocks extensions no longer considered in beta.
• NEW: Details: Details is marked as "legacy" in documentation in favor of the new pymdownx.blocks.details approach.
• NEW: Tabbed: Tabbed is marked as "legacy" in documentation in favor of the new pymdownx.blocks.tab approach.
• NEW: Caption: Add new "blocks" style extension called Caption which helps with specifying figures with captions.
• NEW: Emoji: Add a new strict option that will raise an exception if an emoji is used whose name has changed,
  removed, or never existed.
• FIX: Emoji: Emoji links should be generated such that they point to the new CDN version.

v10.11.2

Compare Source

10.11.2

• FIX: SuperFences: Fix a regression where certain patterns could cause a hang.

v10.11.1

Compare Source

10.11.1

• Fix: SuperFences: Fix regression where an omitted language in conjunction with options in the fenced header
  can cause a fence to not be parsed.

v10.11

Compare Source

10.11

• NEW: SuperFences: Allow fenced code to be parsed in the form ```lang {.class #id}.

v10.10.2

Compare Source

10.10.2

• FIX: BetterEm: Add better support for *em, **em,strong*** and _em, __em,strong___ cases.
• FIX: Caret: Add better support for *sup, **sup,ins***.
• FIX: Tilde: Add better support for *sub, **sub,del***.

v10.10.1

Compare Source

10.10.1

• FIX: FancyLists: Remove a mistaken semicolon from injected classes.

v10.10

Compare Source

10.10

• NEW: FancyLists: Add new FancyLists extension.
• NEW: MagicLink: Change social links to support x instead of twitter. twitter is still recognized but is
  now deprecated and will be removed at a future time.
• NEW: Emoji: Update Twemoji data to the latest.
• FIX: PathConverter: Fixes for latest changes in Python regarding urlunparse.

v10.9

Compare Source

10.9

• NEW: Officially support Python 3.13.
• FIX: Snippets: Better handling of cases where URL snippet requests contain no header length.

v10.8.1

Compare Source

10.8.1

• FIX: Snippets: Fix snippet line range with a start of line 1.

v10.8

Compare Source

10.8

• NEW: Require Python Markdown 3.6+.
• FIX: Fix some test cases.
• FIX: Fix warnings due to recent changes in Python Markdown.

v10.7.1

Compare Source

10.7.1

• FIX: SmartSymbols: Ensure symbols are properly translated in table of content tokens.

v10.7

Compare Source

10.7

• NEW: Emoji: Update Twemoji and Gemoji data to latest.
• NEW: Emoji: Due to recent Gemoji update, non-standard emoji are no longer indexed. So emoji such as :octocat:
  are no longer resolved.
• NEW: Highlight: Added new option default_lang which will cause code blocks with no language specifier to be
  highlighted with the specified default language instead of plain text. This affects indented code blocks and code
  blocks defined with SuperFences.
• NEW: InlineHilite: style_plain_text can be specified with a language string (in addition to its previous
  boolean requirement) to treat inline code blocks with no explicit language specifier with a specific default
  language.

v10.6

Compare Source

10.6

• NEW: MagicLink: Allow configuring custom repository providers based off the existing providers.

v10.5

Compare Source

10.5

• NEW: Blocks: Admonitions and Details now allow configuring custom block classes and default titles.
• FIX: Keys: Ensure that Keys does not parse base64 encoded URLs.

v10.4

Compare Source

10.4

• NEW: Snippets: Allow PathLike objects for base_path to better support interactions with MkDocs.
• FIX: Block Admonitions: Empty titles should be respected.
• FIX: Block Details: Empty summary should be respected.

v10.3.1

Compare Source

10.3.1

• FIX: SuperFences: Fix an issue where braces were not handled properly in attributes.

v10.3

Compare Source

10.3

• NEW: Officially support Python 3.12.
• NEW: Drop Python 3.7 support.

v10.2.1

Compare Source

10.2.1

• FIX: Tabbed: Fix regression.

v10.2

Compare Source

10.2

• NEW: Highlight: Add new stripnl option to configure Pygments' default handling of stripping leading and
  and trailing new lines from code blocks. Mainly affects fenced code blocks.
• FIX: SuperFences: Fix issue where when SuperFences attempts to test if a placeholder is its own, it can throw
  an exception.

v10.1

Compare Source

v10.0.1

Compare Source

10.0.1

• FIX: Regression related to snippets nested deeply under specified base path.

v10.0

Compare Source

10.0

• Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets
  relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy
  behavior.

v9.11

Compare Source

9.11

• NEW: Emoji: Update to new CDN and use Twemoji 14.1.2.
• NEW: Snippets: Ignore nested snippet section syntax when including a section.

v9.10

Compare Source

9.10

• NEW: Blocks: Add new experimental general purpose blocks that provide a framework for creating fenced block
  containers for specialized parsing. A number of extensions utilizing general purpose blocks are included and are meant
  to be an alternative to (and maybe one day replace): Admonitions, Details, Definition Lists, and Tabbed. Also adds a
  new HTML plugin for quick wrapping of content with arbitrary HTML elements.
• NEW: Highlight: When enabling line spans and/or line anchors, if a code block has an ID associated with it, line
  ids will be generated using that code ID instead of the code block count.
• NEW: Snippets: Expand section syntax to allow section names with - and _.
• NEW: Snippets: When check_paths is enabled, and a specified section is not found, raise an error.
• NEW: Snippets: Add new experimental feature dedent_sections that will de-indent (remove any common leading
  whitespace from every line in text) from that block of text.
• NEW: MagicLink: Update GitLab links to match recent changes and to be more correct.
• NEW: MagicLink: Relax required hash length when performing link shortening.

v9.9.2

Compare Source

9.9.2

• FIX: Snippets syntax can break in XML comments as XML comments do not allow --. Relax Snippets syntax such that
  -8<- (single -) are allowed.

v9.9.1

Compare Source

9.9.1

• FIX: Use a different CDN for Twemoji icons as MaxCDN is no longer available.

v9.9

Compare Source

9.9

• ENHANCE: BetterEm: Further improvements to strong/emphasis handling:
  • Ensure that one or more consecutive * or _ surrounded by whitespace are not considered as a token.
• ENHANCE: Caret: Apply recent BetterEm improvements to Caret:
  • Fix case where ^^ nested between ^ would be handled in an unexpected way.
  • Ensure that one or more consecutive ^ surrounded by whitespace are not considered as a token.
• ENHANCE: Tilde: Apply recent BetterEm improvements to Tilde:
  • Fix case where ~~ nested between ~ would be handled in an unexpected way.
  • Ensure that one or more consecutive ~ surrounded by whitespace are not considered a token.
• ENHANCE: Mark: Apply recent BetterEm improvements to Mark:
  • Ensure that one or more consecutive = surrounded by whitespace are not considered a token.

v9.8

Compare Source

9.8

• NEW: Formally declare support for Python 3.11.
• FIX: BetterEm: Fix case where ** nested between * would be handled in an unexpected way.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.