Vulnerability Database

300,445

Total vulnerabilities in the database

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.6

Workarounds

Disable use of the autolink extension.

References

https://github.com/gjtorikian/commonmarker/pull/190 https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Open an issue in github/cmark-gfm

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

Published: Sep 21, 2022
Updated: Apr 14, 2023
GHSA: GHSA-4qw4-jpp4-8gvp
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
commonmarker	-	0.23.6

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo