First published: Fri Mar 31 2023(Updated: )
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
Credit: security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Github Cmark-gfm | <0.29.0.gfm.10. |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-24824 is a vulnerability in cmark-gfm, GitHub's fork of cmark, that can lead to unbounded resource exhaustion and denial of service due to a polynomial time complexity issue.
CVE-2023-24824 has a severity rating of 7.5 (high).
CVE-2023-24824 affects cmark-gfm by causing quadratic complexity issues when parsing text that leads with certain patterns.
Versions up to and excluding 0.29.0.gfm.10 of cmark-gfm are affected by CVE-2023-24824.
Yes, a fix has been implemented in cmark-gfm. Users should update to the latest version to mitigate the vulnerability.