Comrak vulnerable to quadratic runtime issues when parsing Markdown (GHSL-2023-047)
Description
Published to the GitHub Advisory Database
Mar 28, 2023
Reviewed
Mar 28, 2023
Published by the National Vulnerability Database
Mar 28, 2023
Last updated
May 1, 2023
Impact
A range of quadratic parsing issues from
cmark
/cmark-gfm
are also present in Comrak. These can be used to craft denial-of-service attacks on services that use Comrak to parse Markdown.Patches
0.17.0 contains fixes to known quadratic parsing issues.
Workarounds
n/a
References
References