Skip to content

Unbounded resource exhaustion may lead to denial of service

Moderate
anticomputer published GHSA-cgh3-p57x-9q7q Sep 15, 2022

Package

cmark-gfm (None)

Affected versions

< 0.29.0.gfm.6

Patched versions

0.29.0.gfm.6

Description

Impact

A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in 0.29.0.gfm.6.

You may verify the patch by running python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm.

Workarounds

Disable use of the autolink extension.

References

https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

Severity

Moderate

CVE ID

CVE-2022-39209

Weaknesses