7.5
CWE
400 407
Advisory Published
Updated

CVE-2023-26485: Quadratic complexity may lead to a denial of service in cmark-gfm

First published: Fri Mar 31 2023(Updated: )

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Github Cmark-gfm<0.29.0.gfm.10

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2023-26485?

    CVE-2023-26485 is a vulnerability in cmark-gfm, a CommonMark parsing and rendering library and program in C, which may lead to denial of service due to unbounded resource exhaustion.

  • What is the severity of CVE-2023-26485?

    The severity of CVE-2023-26485 is high with a CVSS score of 7.5.

  • How does CVE-2023-26485 impact cmark-gfm?

    CVE-2023-26485 introduces a polynomial time complexity issue when parsing text, which can result in unbounded resource usage and subsequent denial of service.

  • Which versions of cmark-gfm are affected by CVE-2023-26485?

    Versions up to and excluding 0.29.0.gfm.10 of cmark-gfm are affected by CVE-2023-26485.

  • Is there a fix for CVE-2023-26485?

    Yes, a fix for CVE-2023-26485 has been implemented. It is recommended to update to a version of cmark-gfm that includes the fix.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203