CVE-2023-22486
published 2023-01-26CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time…
PriorityP335high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.11%
61.7th percentile
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | cmark-gfm | < cmark-gfm 0.29.0.gfm.13-1 (forky) | cmark-gfm 0.29.0.gfm.13-1 (forky) |
| debian | python-cmarkgfm | < cmark-gfm 0.29.0.gfm.13-1 (forky) | cmark-gfm 0.29.0.gfm.13-1 (forky) |
| debian | r-cran-commonmark | < cmark-gfm 0.29.0.gfm.13-1 (forky) | cmark-gfm 0.29.0.gfm.13-1 (forky) |
| debian | ruby-commonmarker | < cmark-gfm 0.29.0.gfm.13-1 (forky) | cmark-gfm 0.29.0.gfm.13-1 (forky) |
| github | cmark-gfm | < 0.29.0.gfm.7 | 0.29.0.gfm.7 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.13-1 | 0.29.0.gfm.13-1 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.13-1 | 0.29.0.gfm.13-1 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.0-4ubuntu0.1~esm1 | 0.29.0.gfm.0-4ubuntu0.1~esm1 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.3-3ubuntu0.1~esm1 | 0.29.0.gfm.3-3ubuntu0.1~esm1 |
| github | cmark-gfm | >= 0 < 0.29.0.gfm.6-6ubuntu0.24.04.1~esm1 | 0.29.0.gfm.6-6ubuntu0.24.04.1~esm1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian3.5LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
cmark-gfm vulnerabilities
vendor_ubuntu·2025-03-03·CVSS 7.5
CVE-2023-22484 [HIGH] cmark-gfm vulnerabilities
Title: cmark-gfm vulnerabilities
Summary: Several security issues were fixed in cmark-gfm.
It was discovered that cmark-gfm's autolink extension did not correctly
handle parsing large inputs. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS. (CVE-2022-39209)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2023-22483)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu
Debian
CVE-2023-22486: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...
vendor_debian·2023·CVSS 3.5
CVE-2023-22486 [LOW] CVE-2023-22486: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 0.29.0.gfm.13-1)
sid: resolved (fixed in 0.29.0.gfm.13-1)
trixie: resolved (fixed in 0.29.0.gfm.13-1)
OSV
cmark-gfm vulnerabilities
osv·2025-03-03·CVSS 6.5
CVE-2022-39209 [MEDIUM] cmark-gfm vulnerabilities
cmark-gfm vulnerabilities
It was discovered that cmark-gfm's autolink extension did not correctly
handle parsing large inputs. An attacker could possibly use this issue
to cause a denial of service. This issue only affected Ubuntu 20.04 LTS
and Ubuntu 22.04 LTS. (CVE-2022-39209)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and
Ubuntu 24.10. (CVE-2023-22483)
It was discovered that cmark-gfm did not correctly handle parsing large
inputs. An attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 24.10.
(CVE-2023-22484)
It was discovered that cmark-gfm did not
OSV
CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C
osv·2023-01-26·CVSS 7.5
CVE-2023-22486 [HIGH] CVE-2023-22486: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.
OSV
Several quadratic complexity bugs may lead to denial of service in Commonmarker
osv·2023-01-24·CVSS 7.5
CVE-2023-22483 [HIGH] Several quadratic complexity bugs may lead to denial of service in Commonmarker
Several quadratic complexity bugs may lead to denial of service in Commonmarker
## Impact
Several quadratic complexity bugs in commonmarker's underlying [`cmark-gfm`](https://github.com/github/cmark-gfm) library may lead to unbounded resource exhaustion and subsequent denial of service.
The following vulnerabilities were addressed:
* [CVE-2023-22483](https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c)
* [CVE-2023-22484](https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r)
* [CVE-2023-22485](https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr)
* [CVE-2023-22486](https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p)
For more information, consult the release notes for version [`0.23.0.gfm.7`](
GHSA
Several quadratic complexity bugs may lead to denial of service in Commonmarker
ghsa·2023-01-24·CVSS 7.5
CVE-2023-22483 [HIGH] CWE-400 Several quadratic complexity bugs may lead to denial of service in Commonmarker
Several quadratic complexity bugs may lead to denial of service in Commonmarker
## Impact
Several quadratic complexity bugs in commonmarker's underlying [`cmark-gfm`](https://github.com/github/cmark-gfm) library may lead to unbounded resource exhaustion and subsequent denial of service.
The following vulnerabilities were addressed:
* [CVE-2023-22483](https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c)
* [CVE-2023-22484](https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r)
* [CVE-2023-22485](https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr)
* [CVE-2023-22486](https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p)
For more information, consult the release notes for version [`0.23.0.gfm.7`](
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-01-26
Published