CVE-2024-44337
Description
The package github.com/gomarkdown/markdown is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion v0.0.0-20240729232818-a2a9c4f, which corresponds with commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit a2a9c4f76ef5a5c32108e36f7c47f8d310322252 contains fixes to this problem.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An infinite loop in the paragraph function of gomarkdown/markdown allows remote denial of service via crafted Markdown input prior to commit a2a9c4f.
Vulnerability
Overview
The github.com/gomarkdown/markdown library, a Go parser for Markdown-to-HTML conversion, contains a logical flaw in its paragraph function within parser/block.go [1][2]. This flaw causes an infinite loop when processing specially crafted Markdown input, leading to a denial of service (DoS) condition [4]. The issue exists in versions prior to pseudoversion v0.0.0-20240729232818-a2a9c4f (commit a2a9c4f) [2].
Attack
Vector and Exploitation
A remote attacker can trigger the infinite loop by sending a tailor-made Markdown document to an application that uses the vulnerable library [2][4]. No authentication is required; the input is processed upon parsing. The vulnerability is exposed via any service that accepts user-supplied Markdown and relies on the affected library version.
Impact
Successful exploitation causes the Go program to hang indefinitely, consuming CPU and memory resources [2][4]. This results in a denial-of-service condition, degrading or halting service availability. No data exfiltration or code execution is reported.
Mitigation
The issue is fixed in commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252 [2]. Users should update to the latest pseudoversion containing this commit. The Go vulnerability database (GO-2024-3205) also tracks this issue [3].
- GitHub - gomarkdown/markdown: markdown parser and HTML renderer for Go
- NVD - CVE-2024-44337
- GO-2024-3205 - Go Packages
- GitHub - Brinmon/CVE-2024-44337: CVE-2024-44337 POC The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. which allowed a remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gomarkdown/markdownGo | < 0.0.0-20240729212818-a2a9c4f76ef5 | 0.0.0-20240729212818-a2a9c4f76ef5 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/fqpkg:apk/chainguard/kube-metrics-adapterpkg:apk/wolfi/fqpkg:apk/wolfi/kube-metrics-adapterpkg:golang/github.com/gomarkdown/markdownpkg:rpm/opensuse/fq&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.13.0-r0+ 6 more
- (no CPE)range: < 0.13.0-r0
- (no CPE)range: < 0.2.3-r2
- (no CPE)range: < 0.13.0-r0
- (no CPE)range: < 0.2.3-r2
- (no CPE)range: < 0.0.0-20240729212818-a2a9c4f76ef5
- (no CPE)range: < 0.14.0-1.1
- (no CPE)range: < 0.0.20241213T205935-1.1
Patches
1a2a9c4f76ef5fix infinite loop with empty list definition (fixes #311)
2 files changed · +9 −1
parser/block.go+3 −1 modified@@ -1652,7 +1652,9 @@ func (p *Parser) paragraph(data []byte) int { if p.extensions&DefinitionLists != 0 { if i < len(data)-1 && data[i+1] == ':' { listLen := p.list(data[prev:], ast.ListTypeDefinition, 0, '.') - return prev + listLen + if listLen > 0 { + return prev + listLen + } } }
parser/parser_test.go+6 −0 modified@@ -4,6 +4,12 @@ import ( "testing" ) +func TestBug311(t *testing.T) { + str := "~~~~\xb4~\x94~\x94~\xd1\r\r:\xb4\x94\x94~\x9f~\xb4~\x94~\x94\x94" + p := New() + p.Parse([]byte(str)) +} + func TestIsFenceLine(t *testing.T) { tests := []struct { data []byte
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.