N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4qw4-jpp4-8gvp

GHSA-4qw4-jpp4-8gvp: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.6

Workarounds

Disable use of the autolink extension.

References

https://github.com/gjtorikian/commonmarker/pull/190 https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Open an issue in github/cmark-gfm

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4qw4-jpp4-8gvp

GHSA-4qw4-jpp4-8gvp:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commonmarker	rubygems	< 0.23.6	0.23.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from cmark-gfm's autolink processing implementation. Key indicators:

The workaround suggests disabling autolink extension
The CWE-400 classification indicates algorithmic complexity issues
The patch involved updating to a cmark-gfm commit that specifically addresses autolink handling
Autolink parsing traditionally involves pattern scanning which is prone to quadratic complexity with nested loops
The reference to 'polynomial time complexity' strongly suggests functions with nested input-dependent loops
Historical context of similar vulnerabilities in markdown parsers often points to URI/email autolink handlers as hotspots for regex/scanning inefficiencies

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4qw4-jpp4-8gvp: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

Patches

Workarounds

References

For more information

Acknowledgements

GHSA-4qw4-jpp4-8gvp:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

N/A

N/A

GHSA-4qw4-jpp4-8gvp: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

Patches

Workarounds

References

For more information

Acknowledgements

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI