Описание
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of > or - characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
A flaw was found in CommonMarker. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.
Отчет
This vulnerability can cause a potential denial of service (DoS) issue, but it can be classified as Moderate rather than Important due to a few key factors. First, the vulnerability specifically targets input with large numbers of specific characters (> or -), which means it is highly context-dependent and unlikely to be triggered by typical use cases. In practice, the majority of markdown documents are unlikely to contain these patterns in excessive quantities. Furthermore, the issue requires input from untrusted or malicious sources to be exploited, as normal, well-formed markdown documents will not trigger the problem.
While the quadratic time complexity can lead to significant resource exhaustion under certain conditions, it does not inherently enable arbitrary code execution or direct access to sensitive system resources.
Меры по смягчению последствий
No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat 3scale API Management Platform 2 | commonmarker | Will not fix | ||
| Red Hat Enterprise Linux 8 | pandoc | Fixed | RHSA-2025:8427 | 03.06.2025 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...
7.5 High
CVSS3