GHSA-4qw4-jpp4-8gvp: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-4qw4-jpp4-8gvp

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Moderate severity GitHub Reviewed Published Sep 21, 2022 in gjtorikian/commonmarker • Updated Sep 21, 2022

Vulnerability details Dependabot alerts 0

Package

bundler commonmarker (RubyGems)

Affected versions

< 0.23.6

Patched versions

0.23.6

Description

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm’s autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

• v0.23.6

Workarounds

Disable use of the autolink extension.

References

gjtorikian/commonmarker#190
GHSA-cgh3-p57x-9q7q
https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

• Open an issue in github/cmark-gfm

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

References

• GHSA-4qw4-jpp4-8gvp
• gjtorikian/commonmarker#190
• https://github.com/gjtorikian/commonmarker/releases/tag/v0.23.6

gjtorikian published the maintainer security advisory

Sep 21, 2022

Severity

Moderate

Weaknesses

CWE-400

CVE ID

No known CVE

GHSA ID

GHSA-4qw4-jpp4-8gvp

Source code

gjtorikian/commonmarker

Checking history

See something to contribute? Suggest improvements for this vulnerability.