Unrated severityNVD Advisory· Published Mar 31, 2023· Updated Feb 11, 2025

Quadratic complexity may lead to a denial of service in cmark-gfm

CVE-2023-24824

Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of > or - characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Affected products

osv-coords3 versions
pkg:hackage/cmark-gfm pkg:rpm/almalinux/pandoc pkg:rpm/almalinux/pandoc-common
>= 0.1.0, < 0.2.6+ 2 more
- (no CPE)range: >= 0.1.0, < 0.2.6
- (no CPE)range: < 2.0.6-7.el8_10
- (no CPE)range: < 2.0.6-7.el8_10
GitHub/Cmark Gfmcpe-rescue
Range: < 0.29.0.gfm.10

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59mitrex_refsource_MISC
github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xhmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000