cbcvebase.
CVE-2022-24724
published 2022-03-03

CVE-2022-24724: cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.19%
89.7th percentile
cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing `table.c:row_from_string` may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where `cmark-gfm` is used. If `cmark-gfm` is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the `cmark-gfm` library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiancmark-gfm< cmark-gfm 0.29.0.gfm.3-3 (bookworm)cmark-gfm 0.29.0.gfm.3-3 (bookworm)
debianghostwriter< cmark-gfm 0.29.0.gfm.3-3 (bookworm)cmark-gfm 0.29.0.gfm.3-3 (bookworm)
debianpython-cmarkgfm< cmark-gfm 0.29.0.gfm.3-3 (bookworm)cmark-gfm 0.29.0.gfm.3-3 (bookworm)
debianr-cran-commonmark< cmark-gfm 0.29.0.gfm.3-3 (bookworm)cmark-gfm 0.29.0.gfm.3-3 (bookworm)
debianruby-commonmarker< cmark-gfm 0.29.0.gfm.3-3 (bookworm)cmark-gfm 0.29.0.gfm.3-3 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
githubcmark-gfm< 0.28.3.gfm.210.28.3.gfm.21
githubcmark-gfm< 0.29.0.gfm.30.29.0.gfm.3
githubcmark-gfm
githubcmark-gfm>= 0 < 0.29.0.gfm.3-30.29.0.gfm.3-3
githubcmark-gfm>= 0 < 0.29.0.gfm.3-30.29.0.gfm.3-3
githubcmark-gfm>= 0 < 0.29.0.gfm.3-30.29.0.gfm.3-3

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via table row parsing in cmark-gfm; detect exploitation attempts by monitoring for markdown input containing table marker rows with an abnormally large number of columns (exceeding UINT16_MAX / 65535 columns), which triggers the integer overflow in table.c:row_from_string.
  • The vulnerable code path is exclusively within the table markdown extension of cmark-gfm; detection or WAF rules should focus on table syntax (pipe-delimited marker rows) in user-supplied markdown rendered by affected cmark-gfm versions (< 0.29.0.gfm.3 or < 0.28.3.gfm.21).
  • ·Disabling the cmark-gfm table extension entirely is a viable workaround that fully prevents this vulnerability from being triggered, at the cost of losing table rendering support.
  • ·Impact severity depends on deployment context: if cmark-gfm renders remote user-controlled markdown, the vulnerability may escalate to Remote Code Execution; otherwise it may be limited to information leak.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.