5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28626

GHSA ID

GHSA-8hqf-xjwp-p67v

EPSS Score

0.48676%

CWE

CWE-400

Published

3/28/2023

Updated

5/1/2023

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-28626

CVE-2023-28626: Comrak vulnerable to quadratic runtime issues when parsing Markdown (GHSL-2023-047)

Impact

A range of quadratic parsing issues from cmark/cmark-gfm are also present in Comrak. These can be used to craft denial-of-service attacks on services that use Comrak to parse Markdown.

Patches

0.17.0 contains fixes to known quadratic parsing issues.

Workarounds

n/a

References

https://github.com/commonmark/cmark/issues/255
https://github.com/commonmark/cmark/issues/389
https://github.com/commonmark/cmark/issues/373
https://github.com/commonmark/cmark/issues/299
https://github.com/commonmark/cmark/issues/388
https://github.com/commonmark/cmark/issues/284
https://github.com/commonmark/cmark/issues/218
https://github.com/commonmark/cmark/pull/232
https://github.com/github/cmark-gfm/blob/c32ef78bae851cb83b7ad52d0fbff880acdcd44a/test/pathological_tests.py#L63-L65
https://github.com/github/cmark-gfm/blob/c32ef78bae851cb83b7ad52d0fbff880acdcd44a/test/pathological_tests.py#L87-L89

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-28626

GHSA ID

GHSA-8hqf-xjwp-p67v

EPSS Score

0.48676%

CWE

CWE-400

Published

3/28/2023

Updated

5/1/2023

KEV Status

Technology

Rust

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
comrak	rust	< 0.17.0	0.17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from multiple quadratic parsing issues inherited from cmark. Key areas identified:

Emphasis handling (process_emphasis) had O(n²) behavior due to delimiter stack mismanagement, as seen in CVE-2023-28626's reference to cmark#389.
HTML block parsing lacked state tracking (skip_html_cdata/etc flags added in commit), addressing issues like cmark#299.
Email autolink validation allowed excessive domain checks (addressed via position constraints).
Table parsing improvements (table_visited flag) prevent redundant cell scans. The commit diff shows critical optimizations in these areas, replacing pest-based parsing with re2c scanners for linear-time lexing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r*n** o* qu**r*ti* p*rsin* issu*s *rom `*m*rk`/`*m*rk-**m` *r* *lso pr*s*nt in *omr*k. T**s* **n ** us** to *r**t **ni*l-o*-s*rvi** *tt**ks on s*rvi**s t**t us* *omr*k to p*rs* M*rk*own. ### P*t***s *.**.* *ont*ins *ix*s to known qu**r*

Reasoning

T** vuln*r**ility st*ms *rom multipl* qu**r*ti* p*rsin* issu*s in**rit** *rom *m*rk. K*y *r**s i**nti*i**: *. *mp**sis **n*lin* (pro**ss_*mp**sis) *** O(n²) ****vior *u* to **limit*r st**k mism*n***m*nt, *s s**n in *V*-****-*****'s r***r*n** to *m*rk

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-28626: Comrak vulnerable to quadratic runtime issues when parsing Markdown (GHSL-2023-047)

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI