What is CVE-2023-24824?

CVE-2023-24824 is a vulnerability in cmark-gfm, GitHub's fork of cmark, that can lead to unbounded resource exhaustion and denial of service due to a polynomial time complexity issue.

What is the severity of CVE-2023-24824?

CVE-2023-24824 has a severity rating of 7.5 (high).

How does CVE-2023-24824 impact cmark-gfm?

CVE-2023-24824 affects cmark-gfm by causing quadratic complexity issues when parsing text that leads with certain patterns.

Which version of cmark-gfm is affected by CVE-2023-24824?

Versions up to and excluding 0.29.0.gfm.10 of cmark-gfm are affected by CVE-2023-24824.

Is there a fix for CVE-2023-24824?

Yes, a fix has been implemented in cmark-gfm. Users should update to the latest version to mitigate the vulnerability.

Vulnerability/
CVE-2023-24824

high

7.5

CWE

400 407

31/3/2023

2/8/2024

CVE-2023-24824: Quadratic complexity may lead to a denial of service in cmark-gfm

First published: Fri Mar 31 2023(Updated: )

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Github Cmark-gfm	<0.29.0.gfm.10.

Remedy

https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-24824?
CVE-2023-24824 is a vulnerability in cmark-gfm, GitHub's fork of cmark, that can lead to unbounded resource exhaustion and denial of service due to a polynomial time complexity issue.
What is the severity of CVE-2023-24824?
CVE-2023-24824 has a severity rating of 7.5 (high).
How does CVE-2023-24824 impact cmark-gfm?
CVE-2023-24824 affects cmark-gfm by causing quadratic complexity issues when parsing text that leads with certain patterns.
Which version of cmark-gfm is affected by CVE-2023-24824?
Versions up to and excluding 0.29.0.gfm.10 of cmark-gfm are affected by CVE-2023-24824.
Is there a fix for CVE-2023-24824?
Yes, a fix has been implemented in cmark-gfm. Users should update to the latest version to mitigate the vulnerability.

collector/nvd-index
agent/weakness
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/remedy
agent/title
agent/severity
agent/author
agent/tags
agent/first-publish-date
agent/event
agent/description
vendor/github
canonical/github cmark-gfm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.