QwikSec

Security Database

CVE

CWE

Training

CVE-2022-39209

Published: Sep 15, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.

Vendor	Product	Versions
github	cmark-gfm	affected `< 0.29.0.gfm.6`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

https://en.wikipedia.org/wiki/Time_complexity

FEDORA-2022-6bcee2cc93

vendor-advisory

FEDORA-2022-f1aed93db8

vendor-advisory

FEDORA-2022-dc6d6d9d6c

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.