ADVISORIES

• GHSA-48wp-p9qv-4j64
• Vendor Advisory

GEM

commonmarker

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

• >= 0.23.9

DESCRIPTION

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

• CVE-2023-24824
• CVE-2023-26485

For more information, consult the release notes for versions 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9

RELATED

• CVE-2023-24824 (NVD)
• CVE-2023-26485 (NVD)
• https://nvd.nist.gov/vuln/detail/CVE-2023-24824
• https://nvd.nist.gov/vuln/detail/CVE-2023-26485
• https://github.com/gjtorikian/commonmarker/pull/236
• https://rubygems.org/gems/commonmarker/versions/0.23.9
• https://github.com/gjtorikian/commonmarker/releases/tag/v0.23.9
• https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-48wp-p9qv-4j64
• https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59
• https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
• https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
• https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.10
• https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.11