7.5
CWE
400 407
Advisory Published
Updated

CVE-2023-24824: Quadratic complexity may lead to a denial of service in cmark-gfm

First published: Fri Mar 31 2023(Updated: )

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Github Cmark-gfm<0.29.0.gfm.10.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2023-24824?

    CVE-2023-24824 is a vulnerability in cmark-gfm, GitHub's fork of cmark, that can lead to unbounded resource exhaustion and denial of service due to a polynomial time complexity issue.

  • What is the severity of CVE-2023-24824?

    CVE-2023-24824 has a severity rating of 7.5 (high).

  • How does CVE-2023-24824 impact cmark-gfm?

    CVE-2023-24824 affects cmark-gfm by causing quadratic complexity issues when parsing text that leads with certain patterns.

  • Which version of cmark-gfm is affected by CVE-2023-24824?

    Versions up to and excluding 0.29.0.gfm.10 of cmark-gfm are affected by CVE-2023-24824.

  • Is there a fix for CVE-2023-24824?

    Yes, a fix has been implemented in cmark-gfm. Users should update to the latest version to mitigate the vulnerability.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203