CVE-2022-39209
published 2022-09-15CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time…
PriorityP334medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
1.64%
73.4th percentile
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cmark-gfm | < cmark-gfm 0.29.0.gfm.6-2 (bookworm) | cmark-gfm 0.29.0.gfm.6-2 (bookworm) |
| debian | ghostwriter | < cmark-gfm 0.29.0.gfm.6-2 (bookworm) | cmark-gfm 0.29.0.gfm.6-2 (bookworm) |
| debian | python-cmarkgfm | < cmark-gfm 0.29.0.gfm.6-2 (bookworm) | cmark-gfm 0.29.0.gfm.6-2 (bookworm) |
| debian | r-cran-commonmark | < cmark-gfm 0.29.0.gfm.6-2 (bookworm) | cmark-gfm 0.29.0.gfm.6-2 (bookworm) |
| debian | ruby-commonmarker | < cmark-gfm 0.29.0.gfm.6-2 (bookworm) | cmark-gfm 0.29.0.gfm.6-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github | cmark-gfm | < 0.29.0.gfm.6 | 0.29.0.gfm.6 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.6-2 | 0.29.0.gfm.6-2 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.6-2 | 0.29.0.gfm.6-2 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.6-2 | 0.29.0.gfm.6-2 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.0-4ubuntu0.1~esm1 | 0.29.0.gfm.0-4ubuntu0.1~esm1 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.3-3ubuntu0.1~esm1 | 0.29.0.gfm.3-3ubuntu0.1~esm1 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.6-6ubuntu0.24.04.1~esm1 | 0.29.0.gfm.6-6ubuntu0.24.04.1~esm1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
osv6.5MEDIUM
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
cmark-gfm vulnerabilities
vendor_ubuntu·2025-03-03·CVSS 7.5
CVE-2023-22484 [HIGH] cmark-gfm vulnerabilities
Title: cmark-gfm vulnerabilities
Summary: Several security issues were fixed in cmark-gfm.
It was discovered that cmark-gfm's autolink extension did not correctly
handle parsing large inputs. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS. (CVE-2022-39209)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2023-22483)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu
Red Hat
cmark-gfm: Unbounded resource exhaustion may lead to denial of service
vendor_redhat·2022-09-15·CVSS 7.5
CVE-2022-39209 [HIGH] CWE-400 cmark-gfm: Unbounded resource exhaustion may lead to denial of service
cmark-gfm: Unbounded resource exhaustion may lead to denial of service
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Package: commonmarker (Red Hat 3scale API Management Platform 2) - Not affected
Debian
CVE-2022-39209: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...
vendor_debian·2022·CVSS 7.5
CVE-2022-39209 [HIGH] CVE-2022-39209: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Scope: local
bookworm: resolved (fixed in 0.29.0.gfm.6-2)
bullseye: open
forky: resolved (fixed in 0.29.0.gfm.6-2)
sid: resolved (fixed in 0.29.0.gfm.6-2)
trixie: r
OSV
cmark-gfm vulnerabilities
osv·2025-03-03·CVSS 6.5
CVE-2022-39209 [MEDIUM] cmark-gfm vulnerabilities
cmark-gfm vulnerabilities
It was discovered that cmark-gfm's autolink extension did not correctly
handle parsing large inputs. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS. (CVE-2022-39209)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2023-22483)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2023-22484)
It was discovered that cmark-gfm did not
OSV
CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C
osv·2022-09-15·CVSS 6.5
CVE-2022-39209 [MEDIUM] CVE-2022-39209: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://en.wikipedia.org/wiki/Time_complexityhttps://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7qhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/https://en.wikipedia.org/wiki/Time_complexityhttps://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7qhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/
2022-09-15
Published