What's the scope of CVE-2022-34749?

[sersorrel]

The advisory for GHSA-fw3v-x4f2-v673 says that all versions of mistune before 2.0.3 are vulnerable. Given the fix was to modify a single regex, which isn't present in versions before 2.0.0a1, I think this claim is unlikely to be true. Is every version of mistune ever released (starting with 0.1.0) actually vulnerable to a ReDoS, or should there be a version bound of e.g. >1.8.4 on the advisory?

[lepture]

It only applies to 2.0.x.

I'll reveal the detail case in 2 months. Let's give some time to people to upgrade their dependencies.

[samuelhwilliams]

Thanks for clarifying no action needed for <2.0.0. Looking forward to the full breakdown 👍