Impact
A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.
Patches
This vulnerability has been patched in 0.29.0.gfm.6.
You may verify the patch by running python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm.
Workarounds
Disable use of the autolink extension.
References
https://en.wikipedia.org/wiki/Time_complexity
For more information
If you have any questions or comments about this advisory:
Acknowledgements
We would like to thank Legit Security for reporting this vulnerability.
Impact
A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.
Patches
This vulnerability has been patched in
0.29.0.gfm.6.You may verify the patch by running
python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink, which will resource exhaust on unpatchedcmark-gfmbut render correctly on patchedcmark-gfm.Workarounds
Disable use of the autolink extension.
References
https://en.wikipedia.org/wiki/Time_complexity
For more information
If you have any questions or comments about this advisory:
Acknowledgements
We would like to thank Legit Security for reporting this vulnerability.