Homepage
About Snyk

Improper Handling of Exceptional Conditions Affecting comrak package, versions <0.17.0

0.0
medium

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.41% (74th percentile)
Expand this section
NVD
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUST-COMRAK-5291799
  • published 29 Mar 2023
  • disclosed 28 Mar 2023
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 28 Mar 2023

CVE-2023-28631 Open this link in a new tab
CWE-755 Open this link in a new tab

How to fix?

Upgrade comrak to version 0.17.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions when AST can be constructed manually by a program instead of parsing a Markdown document with parse_document. This AST can then be converted to HTML via html::format_document_with_plugins. However, the HTML formatting code assumes that the AST is well-formed. For example, many AST notes contain [u8] fields which the formatting code assumes is valid UTF-8 data.

Workaround

  • Validate UTF-8 correctness of all data when assigning to &[u8] and Vec<u8> fields in the AST.