CVE-2022-39209Uncontrolled Resource Consumption in Github Cmark-gfm

CWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic Complexity6 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
1.8%
top 17.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Github Cmark-gfmDebian Cmark-gfmDebian Ghostwriter+4 more
Timeline
PublishedSep 15
Latest updateMar 3

Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability ha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

NVDgithub/cmark-gfm< 0.29.0.gfm.6
Debiangithub/cmark-gfm< 0.29.0.gfm.6-2+2
Ubuntugithub/cmark-gfm< 0.29.0.gfm.0-4ubuntu0.1~esm1+2
debiandebian/cmark-gfm< cmark-gfm 0.29.0.gfm.6-2 (bookworm)
debiandebian/python-cmarkgfm< cmark-gfm 0.29.0.gfm.6-2 (bookworm)

Also affects: Fedora 35, 36, 37

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
cmark-gfm vulnerabilities2025-03-03
OSV
CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C2022-09-15

📋Vendor Advisories

3
Ubuntu
cmark-gfm vulnerabilities2025-03-03
Red Hat
cmark-gfm: Unbounded resource exhaustion may lead to denial of service2022-09-15
Debian
CVE-2022-39209: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...2022