CVE-2023-24824Uncontrolled Resource Consumption in Github Cmark-gfm

CWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic Complexity7 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 44.97%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github Cmark-gfmDebian Cmark-gfmDebian Python-cmarkgfm+2 more
Timeline
PublishedMar 31
Latest updateDec 27

Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes fro

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

CVEListV5github/cmark-gfm< 0.29.0.gfm.10
Hackagegithub/cmark-gfm0.1.00.2.6
NVDgithub/cmark-gfm< 0.29.0.gfm.10.
Debiangithub/cmark-gfm< 0.29.0.gfm.13-1+1
debiandebian/cmark-gfm< cmark-gfm 0.29.0.gfm.13-1 (forky)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
cmark-gfm: resource exhaustion due to quadratic complexity in parser2025-12-27
GHSA
Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service2023-04-11
OSV
Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service2023-04-11
OSV
CVE-2023-24824: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C2023-03-31

📋Vendor Advisories

2
Red Hat
cmark-gfm: Quadratic complexity bugs may lead to a denial of service2023-04-01
Debian
CVE-2023-24824: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...2023