Skip to content

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Moderate severity GitHub Reviewed Published Sep 21, 2022 in gjtorikian/commonmarker • Updated Jan 7, 2023

Package

bundler commonmarker (RubyGems)

Affected versions

< 0.23.6

Patched versions

0.23.6

Description

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

  • v0.23.6

Workarounds

Disable use of the autolink extension.

References

gjtorikian/commonmarker#190
GHSA-cgh3-p57x-9q7q
https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

References

@gjtorikian gjtorikian published to gjtorikian/commonmarker Sep 21, 2022
Published to the GitHub Advisory Database Sep 21, 2022
Reviewed Sep 21, 2022
Last updated Jan 7, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-4qw4-jpp4-8gvp

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.