CVE-2022-39209
moderate-risk
Published 2022-09-15
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Do I need to act?
~
1.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Vendors
References (12)
Third Party Advisory
https://en.wikipedia.org/wiki/Time_complexity
Third Party Advisory
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
Third Party Advisory
https://en.wikipedia.org/wiki/Time_complexity
Third Party Advisory
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
41
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
5/34 · Minimal
Exposure
10/34 · Low