CVE-2018-18385
Description
Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial of service (infinite loop). The loop was caused by the fact that Parser.next_block was not exhausting all the lines in the reader as the while loop expected it would. This was happening because the regular expression that detects any list was not agreeing with the regular expression that detects a specific list type. So the line kept getting pushed back onto the reader, hence causing the loop.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Asciidoctor versions before 1.5.8 contain an infinite loop vulnerability in Parser.next_block, enabling remote denial of service via crafted AsciiDoc input.
Vulnerability
Asciidoctor versions prior to 1.5.8 contain a denial-of-service vulnerability in the Parser#next_block method. The while loop in this method expects to exhaust all lines from the reader, but a mismatch between the regular expression that detects any list and the regular expression for a specific list type causes a line to be repeatedly pushed back onto the reader, resulting in an infinite loop [1][2][4].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted AsciiDoc file that triggers the regex mismatch. No authentication or special privileges are required; the attacker only needs to supply the malicious input to an application using Asciidoctor (e.g., via file upload or web form). The parser then enters an infinite loop, consuming CPU resources indefinitely [2][4].
Impact
Successful exploitation leads to a denial of service (infinite loop) causing high CPU usage and potentially making the application unresponsive. No data confidentiality or integrity is compromised; the impact is limited to availability [2].
Mitigation
The fix was released in Asciidoctor version 1.5.8. Users should upgrade to 1.5.8 or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1][2][3][4].
- GitHub - asciidoctor/asciidoctor: :gem: A fast, open source text processor and publishing toolchain, written in Ruby, for converting AsciiDoc content to HTML 5, DocBook 5, and other formats.
- NVD - CVE-2018-18385
- ruby-advisory-db/gems/asciidoctor/CVE-2018-18385.yml at master · rubysec/ruby-advisory-db
- Infinite loop in Parser#next_block
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
asciidoctorRubyGems | < 1.5.8 | 1.5.8 |
Affected products
2- Range: <1.5.8
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qc9p-mjxm-j2wjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-18385ghsaADVISORY
- github.com/asciidoctor/asciidoctor/issues/2888ghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/asciidoctor/CVE-2018-18385.ymlghsaWEB
News mentions
0No linked articles in our index yet.