Algorithmic Complexity Affecting cmark-gfm package, versions <0.29.0.gfm.6-2


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Exploit Maturity
Not Defined
EPSS
0.17% (55th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN13-CMARKGFM-5678335
  • published16 Sept 2022
  • disclosed15 Sept 2022

Introduced: 15 Sep 2022

CVE-2022-39209  (opens in a new tab)
CWE-407  (opens in a new tab)

How to fix?

Upgrade Debian:13 cmark-gfm to version 0.29.0.gfm.6-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cmark-gfm package and not the cmark-gfm package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running python3 -c &#39;print(&#34;![l&#34;* 100000 + &#34;\n&#34;)&#39; | ./cmark-gfm -e autolink, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

CVSS Scores

version 3.1