Skip to content

Denial of service in table parsing

philipturnbull published GHSA-7gc6-9qr5-hc85 Jun 30, 2020
Severity
low
Packages
cmark-gfm
Affected versions
< 0.29.0.gfm.1
Patched versions
0.29.0.gfm.1
CVE identifier
CVE-2020-5238

Impact

The table extension in GitHub Flavored Markdown takes O(n * n) time to parse certain inputs. An attacker could craft a markdown table which would take an unreasonably long time to process, causing a denial of service. This issue does not affect the upstream cmark project.

Patches

The issue has been fixed in 0.29.0.gfm.1

Workarounds

There are no known workarounds

References

Detected by Jonas Wagner at Google by #autofuzz: https://google.github.io/oss-fuzz/

You can’t perform that action at this time.