CVE-2023-26485Uncontrolled Resource Consumption in Github Cmark-gfm

CWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic Complexity8 documents6 sources
Severity
7.5HIGHNVD
OSV6.5
EPSS
0.4%
top 41.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Github Cmark-gfmDebian Cmark-gfmDebian Python-cmarkgfm+2 more
Timeline
PublishedMar 31
Latest updateMar 3

Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trust

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

NVDgithub/cmark-gfm< 0.29.0.gfm.10
Debiangithub/cmark-gfm< 0.29.0.gfm.13-1+1
Ubuntugithub/cmark-gfm< 0.29.0.gfm.0-4ubuntu0.1~esm1+2
debiandebian/cmark-gfm< cmark-gfm 0.29.0.gfm.13-1 (forky)
debiandebian/python-cmarkgfm< cmark-gfm 0.29.0.gfm.13-1 (forky)

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
cmark-gfm vulnerabilities2025-03-03
GHSA
Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service2023-04-11
OSV
Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service2023-04-11
OSV
CVE-2023-26485: cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C2023-03-31

📋Vendor Advisories

3
Ubuntu
cmark-gfm vulnerabilities2025-03-03
Red Hat
commonmarker: Quadratic complexity bug may lead to a denial of service2023-04-01
Debian
CVE-2023-26485: cmark-gfm - cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library ...2023