Upgrade Oracle:6 firefox to version 0:68.10.0-1.0.1.el6_10 or higher. This issue was patched in ELSA-2020-2824 .

Inefficient Algorithmic Complexity Affecting league/commonmark package, versions <2.6.0

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-PHP-LEAGUECOMMONMARK-8493867
published10 Dec 2024
disclosed9 Dec 2024
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 9 Dec 2024

CWE-407 (opens in a new tab)

How to fix?

Upgrade league/commonmark to version 2.6.0 or higher.

Overview

league/commonmark is a PHP-based Markdown parser which supports the full CommonMark spec. It is based on the CommonMark JS reference implementation.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the parsing of specially crafted Markdown inputs. An attacker can exhaust system resources and cause a denial of service.

Workaround

This vulnerability can be mitigated by setting very low memory_limit and max_execution_time PHP configurations to prevent runaway resource usage, implementing rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site, limiting the size of inputs fed into this library, and limiting the use of this library to trusted users.

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None