Impact
A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.
Patches
This vulnerability has been patched in 0.29.0.gfm.6
.
You may verify the patch by running python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink
, which will resource exhaust on unpatched cmark-gfm
but render correctly on patched cmark-gfm
.
Workarounds
Disable use of the autolink extension.
References
https://en.wikipedia.org/wiki/Time_complexity
For more information
If you have any questions or comments about this advisory:
Acknowledgements
We would like to thank Legit Security for reporting this vulnerability.
Impact
A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.
Patches
This vulnerability has been patched in
0.29.0.gfm.6
.You may verify the patch by running
python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink
, which will resource exhaust on unpatchedcmark-gfm
but render correctly on patchedcmark-gfm
.Workarounds
Disable use of the autolink extension.
References
https://en.wikipedia.org/wiki/Time_complexity
For more information
If you have any questions or comments about this advisory:
Acknowledgements
We would like to thank Legit Security for reporting this vulnerability.