{ "schema_version": "1.4.0", "id": "GHSA-4qw4-jpp4-8gvp", "modified": "2022-09-21T18:18:05Z", "published": "2022-09-21T18:18:05Z", "aliases": [], "summary": "Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service", "details": "### Impact\n\nCommonMarker uses `cmark-gfm` for rendering [Github Flavored Markdown](https://github.github.com/gfm/). A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.\n\n### Patches\n\nThis vulnerability has been patched in the following CommonMarker release:\n\n- v0.23.6\n\n### Workarounds\n\nDisable use of the autolink extension.\n\n### References\n\nhttps://github.com/gjtorikian/commonmarker/pull/190\nhttps://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q\nhttps://en.wikipedia.org/wiki/Time_complexity\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)\n\n### Acknowledgements\n\nWe would like to thank [Legit Security](https://www.legitsecurity.com) for reporting this vulnerability.\n", "severity": [], "affected": [ { "package": { "ecosystem": "RubyGems", "name": "commonmarker" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "0.23.6" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-4qw4-jpp4-8gvp" }, { "type": "WEB", "url": "https://github.com/gjtorikian/commonmarker/pull/190" }, { "type": "PACKAGE", "url": "https://github.com/gjtorikian/commonmarker" }, { "type": "WEB", "url": "https://github.com/gjtorikian/commonmarker/releases/tag/v0.23.6" } ], "database_specific": { "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-09-21T18:18:05Z", "nvd_published_at": null } }