GHSA-4qw4-jpp4-8gvp (commonmarker): Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Published: September 21, 2022

SECURITY IDENTIFIERS

GHSA: GHSA-4qw4-jpp4-8gvp
Vendor Advisory: https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-4qw4-jpp4-8gvp

GEM

commonmarker

PATCHED VERSIONS

>= 0.23.6

DESCRIPTION

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.6

Workarounds

Disable use of the autolink extension.

References

https://en.wikipedia.org/wiki/Time_complexity

GHSA-cgh3-p57x-9q7q
https://github.com/gjtorikian/commonmarker/pull/190
https://github.com/gjtorikian/commonmarker/releases/tag/v0.23.6

RubySec