CVE-2022-39209
HIGHcmark-gfm < 0.29.0.gfm.6 - Denial of Service via Autolink Extension
Title source: llmDescription
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
References (6)
Core 6
Core References
Third Party Advisory
https://en.wikipedia.org/wiki/Time_complexity
Patch, Third Party Advisory
https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
Third Party Advisory
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/
Scores
CVSS v3
7.5
EPSS
0.0157
EPSS Percentile
72.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-407
CWE-400
Status
published
Products (4)
fedoraproject/fedora
35
fedoraproject/fedora
36
fedoraproject/fedora
37
github/cmark-gfm
< 0.29.0.gfm.6
Published
Sep 15, 2022
Tracked Since
Feb 18, 2026