What is CVE-2022-39209?

CVE-2022-39209 is a vulnerability in cmark-gfm, GitHub's fork of cmark, which could lead to unbounded resource exhaustion and denial of service.

What is the severity of CVE-2022-39209?

The severity of CVE-2022-39209 is high with a severity score of 6.5.

How does CVE-2022-39209 affect cmark-gfm?

CVE-2022-39209 affects cmark-gfm versions prior to 0.29.0.gfm.6 and may lead to unbounded resource exhaustion and subsequent denial of service.

How can I verify if my version of cmark-gfm is affected by CVE-2022-39209?

You can verify if your version of cmark-gfm is affected by CVE-2022-39209 by checking the patch version. Versions prior to 0.29.0.gfm.6 are affected.

How can I fix CVE-2022-39209?

To fix CVE-2022-39209, you should update cmark-gfm to version 0.29.0.gfm.6 or newer.

Vulnerability/
CVE-2022-39209

high

7.5

CWE

407 400

15/9/2022

3/8/2024

CVE-2022-39209: Uncontrolled Resource Consumption in cmark-gfm

First published: Thu Sep 15 2022(Updated: )

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Github Cmark-gfm	<0.29.0.gfm.6
Fedoraproject Fedora	=35
Fedoraproject Fedora	=36
Fedoraproject Fedora	=37

Remedy

https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-39209?
CVE-2022-39209 is a vulnerability in cmark-gfm, GitHub's fork of cmark, which could lead to unbounded resource exhaustion and denial of service.
What is the severity of CVE-2022-39209?
The severity of CVE-2022-39209 is high with a severity score of 6.5.
How does CVE-2022-39209 affect cmark-gfm?
CVE-2022-39209 affects cmark-gfm versions prior to 0.29.0.gfm.6 and may lead to unbounded resource exhaustion and subsequent denial of service.
How can I verify if my version of cmark-gfm is affected by CVE-2022-39209?
You can verify if your version of cmark-gfm is affected by CVE-2022-39209 by checking the patch version. Versions prior to 0.29.0.gfm.6 are affected.
How can I fix CVE-2022-39209?
To fix CVE-2022-39209, you should update cmark-gfm to version 0.29.0.gfm.6 or newer.

collector/nvd-index
agent/weakness
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/author
agent/severity
agent/remedy
agent/title
agent/description
agent/first-publish-date
agent/event
agent/tags
vendor/github
canonical/github cmark-gfm
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/35
version/fedoraproject fedora/36
version/fedoraproject fedora/37