chore(deps): update dependency pymdown-extensions to v10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
pymdown-extensions	==7.1 -> ==10.16.1

GitHub Vulnerability Alerts

CVE-2023-32309

Summary

Arbitrary file read when using include file syntax.

Details

By using the syntax --8<--"/etc/passwd" or --8<--"/proc/self/environ" the content of these files will be rendered in the generated documentation. Additionally, a path relative to a specified, allowed base path can also be used to render the content of a file outside the specified base paths: --8<-- "../../../../etc/passwd".

Within the Snippets extension, there exists a base_path option but the implementation is vulnerable to Directory Traversal.
The vulnerable section exists in get_snippet_path(self, path) lines 155 to 174 in snippets.py.

base = "docs"
path = "/etc/passwd"
filename = os.path.join(base,path) # Filename is now /etc/passwd

PoC

import markdown

payload = "--8<-- \"/etc/passwd\""
html = markdown.markdown(payload, extensions=['pymdownx.snippets'])

print(html)

Impact

Any readable file on the host where the plugin is executing may have its content exposed. This can impact any use of Snippets that exposes the use of Snippets to external users.

It is never recommended to use Snippets to process user-facing, dynamic content. It is designed to process known content on the backend under the control of the host, but if someone were to accidentally enable it for user-facing content, undesired information could be exposed.

Suggestion

Specified snippets should be restricted to the configured, specified base paths as a safe default. Allowing relative or absolute paths that escape the specified base paths would need to be behind a feature switch that must be opt-in and would be at the developer's own risk.

CVE-2025-68142

Impact

This issue describes a ReDOS bug found within the figure caption extension (pymdownx.blocks.caption ).

In systems that take unchecked user content, this could cause long hangs when processing the data if a malicious payload was crafted.

Patches

This issue is patched in Release 10.16.1.

Workarounds

Some possible workarounds

If users are concerned about this vulnerability and process unknown user content without timeouts or other safeguards in place to prevent really large, malicious content being aimed at systems, the use of pymdownx.blocks.caption could be avoided until the library is updated to 10.16.1+.

References

The original issue https://github.com/facelessuser/pymdown-extensions/issues/2716.

Description

The original issue came through PyMdown Extensions' normal issue tracker instead of the typical security flow: https://github.com/facelessuser/pymdown-extensions/issues/2716. Because this came through the normal issue flow, it was handled as a normal issue. In the future, PyMdown Extensions will ensure such issues, even if prematurely made public through the normal issue flow, are redirected through the typical security process.

The regular expression pattern in question is as follows:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

The POC was provided by @​ShangzhiXu

import re
import time

regex_pattern = re.compile(r'^(\^)?([1-9][0-9]*(?:.[1-9][0-9]*)*)(?= |$)')

for i in range(50, 500, 50):
    long_string = '1' * i + 'a'
    start_time = time.time()
    match = re.match(regex_pattern, long_string)
    end_time = time.time()
    print(f"long_string execution time: {end_time - start_time:.6f} s")

The issue with the above pattern is that . was used, which accepts any character when we meant to use \.. The fix was to update the pattern to:

RE_FIG_NUM = re.compile(r'^(\^)?([1-9][0-9]*(?:\.[1-9][0-9]*)*)(?= |$)')

Relevant PR with fix: https://github.com/facelessuser/pymdown-extensions/pull/2717

Version(s) & System Info

• Operating System: Any
• Python Version: Any

---

Release Notes

facelessuser/pymdown-extensions (pymdown-extensions)

v10.16.1: 10.6.1

Compare Source

10.16.1

• FIX: Inefficient regular expression pattern for figure caption numbers.

v10.16

Compare Source

10.16

• NEW: Add early support for Python 3.14.
• NEW: Drop support for Python 3.8.
• NEW: Snippets: Added max_retries and backoff_retries options to configure new retry logic for HTTP 429
  errors (Too Many Requests client error).
• NEW: Caption: Prefix templates are now preserved exactly as specified allowing the insertion of HTML tags if
  desired.
• FIX: Caption: Fix issue where manual numbers in auto were not respected appropriately.

v10.15

Compare Source

10.15.0

• NEW: SuperFences: Add relaxed_headers option which can tolerate bad content in the fenced code header. When
  enabled, code blocks with bad content in the header will likely still convert into code blocks, often respecting
  the specified language.
• NEW: Add type hints to the Blocks interface and a few additional files.
• FIX: Blocks: Fix some corner cases of nested blocks with lists.
• FIX: Tab and Tabbed: Fix a case where tabs could fail if combine_header_slug was enabled and there was no
  header.

v10.14.3

Compare Source

10.14.3

• FIX: Blocks: An empty, raw block type should not cause an error.

v10.14.2

Compare Source

10.14.2

• FIX: Blocks: Fix some corner cases with md_in_html.

v10.14.1

Compare Source

10.14.1

• FIX: MagicLink: Ensure that repo names that start with . are handled correctly.
• FIX: FancyLists: Fix case were lists could be falsely created when a line started with . or ).

v10.14

Compare Source

10.14

• NEW: Blocks.HTML: Add new custom option to specify tags and the assumed handling for them when automatic mode
  is assumed. This can also be used to override the handling for recognized tags with automatic handling.
• FIX: Fix tests to pass with Pygments 2.19+.

v10.13

Compare Source

10.13

• NEW: Snippets: Allow multiple line numbers or line number blocks separated by ,.
• NEW: Snippets: Allow using a negative index for number start indexes and end indexes. Negative indexes are converted to positive indexes based on the number of lines in the snippet.
• FIX: Snippets: Properly capture empty newline at end of file.
• FIX: Snippets: Fix issue where when non sections of files are included, section labels are not stripped.
• FIX: BetterEm: Fixes for complex cases.
• FIX: Blocks: More consistent handling of empty newlines in block processor extensions.

v10.12

Compare Source

10.12

• NEW: Blocks: Blocks extensions no longer considered in beta.
• NEW: Details: Details is marked as "legacy" in documentation in favor of the new pymdownx.blocks.details approach.
• NEW: Tabbed: Tabbed is marked as "legacy" in documentation in favor of the new pymdownx.blocks.tab approach.
• NEW: Caption: Add new "blocks" style extension called Caption which helps with specifying figures with captions.
• NEW: Emoji: Add a new strict option that will raise an exception if an emoji is used whose name has changed,
  removed, or never existed.
• FIX: Emoji: Emoji links should be generated such that they point to the new CDN version.

v10.11.2

Compare Source

10.11.2

• FIX: SuperFences: Fix a regression where certain patterns could cause a hang.

v10.11.1

Compare Source

10.11.1

• Fix: SuperFences: Fix regression where an omitted language in conjunction with options in the fenced header
  can cause a fence to not be parsed.

v10.11

Compare Source

10.11

• NEW: SuperFences: Allow fenced code to be parsed in the form ```lang {.class #id}.

v10.10.2

Compare Source

10.10.2

• FIX: BetterEm: Add better support for *em, **em,strong*** and _em, __em,strong___ cases.
• FIX: Caret: Add better support for *sup, **sup,ins***.
• FIX: Tilde: Add better support for *sub, **sub,del***.

v10.10.1

Compare Source

10.10.1

• FIX: FancyLists: Remove a mistaken semicolon from injected classes.

v10.10

Compare Source

10.10

• NEW: FancyLists: Add new FancyLists extension.
• NEW: MagicLink: Change social links to support x instead of twitter. twitter is still recognized but is
  now deprecated and will be removed at a future time.
• NEW: Emoji: Update Twemoji data to the latest.
• FIX: PathConverter: Fixes for latest changes in Python regarding urlunparse.

v10.9

Compare Source

10.9

• NEW: Officially support Python 3.13.
• FIX: Snippets: Better handling of cases where URL snippet requests contain no header length.

v10.8.1

Compare Source

10.8.1

• FIX: Snippets: Fix snippet line range with a start of line 1.

v10.8

Compare Source

10.8

• NEW: Require Python Markdown 3.6+.
• FIX: Fix some test cases.
• FIX: Fix warnings due to recent changes in Python Markdown.

v10.7.1

Compare Source

10.7.1

• FIX: SmartSymbols: Ensure symbols are properly translated in table of content tokens.

v10.7

Compare Source

10.7

• NEW: Emoji: Update Twemoji and Gemoji data to latest.
• NEW: Emoji: Due to recent Gemoji update, non-standard emoji are no longer indexed. So emoji such as :octocat:
  are no longer resolved.
• NEW: Highlight: Added new option default_lang which will cause code blocks with no language specifier to be
  highlighted with the specified default language instead of plain text. This affects indented code blocks and code
  blocks defined with SuperFences.
• NEW: InlineHilite: style_plain_text can be specified with a language string (in addition to its previous
  boolean requirement) to treat inline code blocks with no explicit language specifier with a specific default
  language.

v10.6

Compare Source

10.6

• NEW: MagicLink: Allow configuring custom repository providers based off the existing providers.

v10.5

Compare Source

10.5

• NEW: Blocks: Admonitions and Details now allow configuring custom block classes and default titles.
• FIX: Keys: Ensure that Keys does not parse base64 encoded URLs.

v10.4

Compare Source

10.4

• NEW: Snippets: Allow PathLike objects for base_path to better support interactions with MkDocs.
• FIX: Block Admonitions: Empty titles should be respected.
• FIX: Block Details: Empty summary should be respected.

v10.3.1

Compare Source

10.3.1

• FIX: SuperFences: Fix an issue where braces were not handled properly in attributes.

v10.3

Compare Source

10.3

• NEW: Officially support Python 3.12.
• NEW: Drop Python 3.7 support.

v10.2.1

Compare Source

10.2.1

• FIX: Tabbed: Fix regression.

v10.2

Compare Source

10.2

• NEW: Highlight: Add new stripnl option to configure Pygments' default handling of stripping leading and
  and trailing new lines from code blocks. Mainly affects fenced code blocks.
• FIX: SuperFences: Fix issue where when SuperFences attempts to test if a placeholder is its own, it can throw
  an exception.

v10.1

Compare Source

v10.0.1

Compare Source

10.0.1

• FIX: Regression related to snippets nested deeply under specified base path.

v10.0

Compare Source

10.0

• Break: Snippets: snippets will restrict snippets to ensure they are under the base_path preventing snippets
  relative to the base_path but not explicitly under it. restrict_base_path can be set to False for legacy
  behavior.

v9.11

Compare Source

9.11

• NEW: Emoji: Update to new CDN and use Twemoji 14.1.2.
• NEW: Snippets: Ignore nested snippet section syntax when including a section.

v9.10

Compare Source

9.10

• NEW: Blocks: Add new experimental general purpose blocks that provide a framework for creating fenced block
  containers for specialized parsing. A number of extensions utilizing general purpose blocks are included and are meant
  to be an alternative to (and maybe one day replace): Admonitions, Details, Definition Lists, and Tabbed. Also adds a
  new HTML plugin for quick wrapping of content with arbitrary HTML elements.
• NEW: Highlight: When enabling line spans and/or line anchors, if a code block has an ID associated with it, line
  ids will be generated using that code ID instead of the code block count.
• NEW: Snippets: Expand section syntax to allow section names with - and _.
• NEW: Snippets: When check_paths is enabled, and a specified section is not found, raise an error.
• NEW: Snippets: Add new experimental feature dedent_sections that will de-indent (remove any common leading
  whitespace from every line in text) from that block of text.
• NEW: MagicLink: Update GitLab links to match recent changes and to be more correct.
• NEW: MagicLink: Relax required hash length when performing link shortening.

v9.9.2

Compare Source

9.9.2

• FIX: Snippets syntax can break in XML comments as XML comments do not allow --. Relax Snippets syntax such that
  -8<- (single -) are allowed.

v9.9.1

Compare Source

9.9.1

• FIX: Use a different CDN for Twemoji icons as MaxCDN is no longer available.

v9.9

Compare Source

9.9

• ENHANCE: BetterEm: Further improvements to strong/emphasis handling:
  • Ensure that one or more consecutive * or _ surrounded by whitespace are not considered as a token.
• ENHANCE: Caret: Apply recent BetterEm improvements to Caret:
  • Fix case where ^^ nested between ^ would be handled in an unexpected way.
  • Ensure that one or more consecutive ^ surrounded by whitespace are not considered as a token.
• ENHANCE: Tilde: Apply recent BetterEm improvements to Tilde:
  • Fix case where ~~ nested between ~ would be handled in an unexpected way.
  • Ensure that one or more consecutive ~ surrounded by whitespace are not considered a token.
• ENHANCE: Mark: Apply recent BetterEm improvements to Mark:
  • Ensure that one or more consecutive = surrounded by whitespace are not considered a token.

v9.8

Compare Source

9.8

• NEW: Formally declare support for Python 3.11.
• FIX: BetterEm: Fix case where ** nested between * would be handled in an unexpected way.

v9.7

Compare Source

9.7

• NEW: Tabbed: Add new syntax to allow forcing a specific tab to be selected by default.
• NEW: Snippets: Add a new option to pass arbitrary HTTP headers.
• NEW: Snippets: Allow specifying sections in a snippet and including just the specified section.

v9.6

Compare Source

9.6

• NEW: Highlight: Allow greater granularity of specifying where language guessing takes place via guess_lang
  option (e.g. block vs inline).
• NEW: Tabbed: Add options for generating tab IDs from tab titles.
• NEW: Snippets: Add support for specifying specific lines for Snippets.
• NEW: Snippets: Commenting out files in block format no longer requires a space directly after ;.
• NEW: Snippets: A new sane way to escape snippets is now available.

v9.5

Compare Source

9.5

• NEW: InlineHilite: Custom inline code block formatters can now be forced to raise an exception by raising a
  InlineHiliteException.
• NEW: Snippets: Add new options to handle importing snippets from URL.
• NEW: Snippets: Snippets will only swallow missing file errors (unless check_paths is enabled), all other errors
  will be propagated up.
• NEW: Snippets: When a file or URL is missing, raise SnippetMissingError instead of IOError.
• FIX: Snippets: Small issues related to recursive inclusion of snippets.

v9.4

Compare Source

9.4

• NEW: Highlight: Changes in order to support Pygments 2.12+. If using Pygments and a version less than 2.12 is
  installed, Highlight will raise an exception.

v9.3

Compare Source

9.3

• NEW: B64: Allow SVG to be encoded and inlined.
• NEW: PathConverter: Add option to use file:// prefix on absolute paths.
• FIX: Highlight: Ensure that extend_pygments_lang is not case sensitive regarding language names.

v9.2

Compare Source

9.2

• NEW: Drop Python 3.6 support and formally add Python 3.10 support.
• NEW: Highlight: Add pygments_lang_option to enable attaching language classes to Pygments code blocks.
• NEW: SuperFences: Custom fence validators and formatters can now be forced to raise an exception by raising a
  SuperFencesException.
• NEW: Keys: Add power and fingerprint keys.
• FIX: SuperFences: Fix case where custom fence in a blockquote was not gracefully handled.
• FIX: Arithmatex: fix issue where if you limit the inline or block syntax to specific input types, access to
  certain matched groups could cause an error.

v9.1

Compare Source

9.1

• NEW: Highlight: If linenums is enabled globally via the highlight extension, and a code block specifies a line
  number of zero (e.g. SuperFences), disable line numbers for that code block.
• FIX: Snippets: Add missing documentation for auto_append feature that was added in 8.2.
• FIX: Highlight: When attr_list is enabled, attributes were not properly added to Pygments code blocks in the
  table format. (#​1505)

v9.0

Compare Source

9.0

Please see Migration Notes for details on upgrading to 9.0.

• NEW: Arithmatex: Wrap MathJax "script" format (non-preview) with a container element just like all other
  Arithmatex output formats.
• NEW: Arithmatex: MathJax (non-generic) form's container element now has the arithmatex class added just like
  everywhere else.
• NEW: Arithmatex: Add options to override HTML element container type of inline and block math.
• NEW: Arithmatex: Add new formatter functions intended to replace old math fenced/inline block formatters. New
  formatter functions are configurable. All others are marked as deprecated and will be removed at some future date.
• NEW: Emoji: Upgraded Twitter emoji database to support latest emoji. It is a known issue that Twitter has
  :man_in_santa_hat: and :mx_claus: backwards -- same for :mrs_claus: and :woman_in_santa_hat:. That is on
  Twitter's side, not ours.
• NEW: Highlight: Add support for the Pygments option linespans.
• NEW: Highlight: Add support for Pygments option lineanchors.
• NEW: Highlight: Add support for Pygments option anchorlinenos.
• NEW: Highlight: Remove legacy_no_wrap_code option.
• NEW: Add support for generating title headers pulled from the Pygments lexer for code blocks. Feature can be
  enabled via the new auto_title option. If a specific name is not preferred, these names can be overridden via
  a user defined mapping called auto_title_map.
• NEW: SuperFences: Allow setting a title, or overriding an auto title via the new title option in a fenced code
  header.
• NEW: SuperFences: Allow adding ID and arbitrary data- attributes on Pygments code blocks. The latter requires
  the attr_list extension to be enabled.
• NEW: SuperFences: Removed old deprecated option highlight_code which no longer did anything.
• NEW: SuperFences: Remove legacy code meant to help with transitioning to new custom fence function format.
• NEW: Tabbed: New alternate style that allows for a scrollable tabs if they overflow. Feature is experimental, see
  docs for more information.
• NEW: Slugs: Add new configurable slugify function that aims to replace all other slugify methods. Deprecate
  uslugify, uslugify_encoded, uslugify_case, uslugify_case_encoded, gfm, and gfm_encoded. slugify takes
  parameters returning a function that performs the desired slug handling. slugify adds new options case="fold" for
  case folding and normalize='<normalize format here>' (uses NFC by default).
• FIX: BetterEm: Fix some complex cases related to "smart" logic. (#​1413)
• FIX: EscapeAll: Fix issue where an escaped HTML entity may end up with incorrect slug and incorrect table of
  content entry.
• FIX: Highlight: Fix issue that occurs when showing only nth line numbers and using pymdownx-inline. Lines not
  showing a line number would not render with the proper leading space.

v8.2

Compare Source

8.2

• NEW: Snippets: now accepts a list of base paths which will be resolved in the order they are specified.
  Compatibility is present with legacy behavior, and a single string path will still be accepted.
• NEW: Snippets: allow for specifying certain snippets to auto-append to every file. Useful for appending
  abbreviations, reference links, etc.
• NEW: Snippets: a snippet base path can be a full path to a file. When a base path is a full path to a file, only
  that file will be included from the specified folder. This allows for targeting a one off file outside of the normal
  snippet paths(s).
• NEW: MagicLink: add GitHub Discussions support to MagicLink. Can now use ?<num> to link discussions. Full
  discussion links will also be shortened if shortening is enabled. (#​1187)
• NEW: MagicLink: add new normalize_issue_symbols option to make issues, pull request, and discussion links all
  render with # instead of #, !, and ? respectively. Input syntax is still the same. Great if you want a GitHub
  style look where all issue types are just rendered with #.
• FIX: MagicLink: documentation will not render links with special icons added via CSS so as not to confuse users
  that may think that is part of MagicLink. While possible with CSS, MagicLink provides no CSS automatically.
• FIX: Tabbed & Details: Fix corner case with lists. (#​1225)
• FIX: Fix issue with unescaping logic in code blocks.

v8.1.1

Compare Source

8.1.1

• FIX: Ensure content immediately before Details content or Tabbed content gets preserved.
• FIX: StripHTML: Fix some corner cases related to stripping comments.

v8.1

Compare Source

8.1

• NEW: Drop support for Python 3.5.
• NEW: Officially support Python 3.9.
• NEW: Tabbed titles can now have simple Markdown in them which can be parsed and rendered (like emoji, bold, etc.).
• FIX: Avoid parsing script tags in PathConverter and B64 extensions.

v8.0.1

Compare Source

8.0.1

• FIX: Fix issue with pymdownx-inline an Pygments 2.7+.

v8.0

Compare Source

8.0

Please see Release Notes for details on upgrading to 8.0.

• NEW: Added SaneHeaders extension.
• NEW: SuperFences & InlineHilite: gracefully handle failing custom formatters and/or validators. Users should add their own debug code to their formatter/validator if they suspect it isn't working.
• NEW: SuperFences: if a custom fence validator fails, try the next custom fence until all are exhausted.
• NEW: SuperFences: no longer allow custom options in the form key= (no value). Only keys with values or keys with no value and no = are accepted. Keys with no value will now assume the value to be the key name.
• NEW: SuperFences: if attr_list extension is enabled, fenced code that use brace attribute list style headers ( ```{lang #id .class attr=value}) will attach arbitrary attributes that are included in the header to the code element.
• NEW: SuperFences: when Pygments is disabled, options (such as linenums) included in fenced code headers no longer do anything. If attr_list is enabled, and the brace header is used, such options will be treated as HTML attributes. JavaScript highlighter options should be defined in the brace header form with attr_list enabled in order to generate appropriate, compatible HTML with the chosen JavaScript highlighter.
• NEW: SuperFences: backwards incompatible changes where made to custom fence API. See Release Notes for instructions on how to migrate to the new API. Some temporary support for most of the old format is in place, but is deprecated.
• NEW: SuperFences: has removed legacy code tab feature. Associated legacy_tab_classes option has been removed. Please use the Tabbed extension to create general purpose tabs for code blocks or other content.
• NEW: Highlight: add new option language_prefix which controls the prefix applied to language classes when Pygments is not being used.
• NEW: Highlight: A new option called code_attr_on_pre was added to the Highlight extension and controls whether language classes, and any ids, attributes, and classes that are defined in fenced code attribute list style headers, are attached to the code element or pre element. This has effect when using Pygments.
• NEW: Highlight: option linenums now defaults to None and accepts None, True, or False. None is disabled by default, but can be enabled per code block. True enables line numbers globally. False disables globally and cannot be enabled manually per code block.
• NEW: ExtraRawHTML: remove extension.
• FIX: Fix issues with complex emphasis combinations in BetterEm.
• FIX: Details: fix corner cases related to extension and lists.
• FIX: Tabbed: fix corner cases related to extension and lists.
• FIX: EscapeAll: Handle HTML entities special.
• FIX: SuperFences: Fix parameter unpacking bug.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.