N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4qw4-jpp4-8gvp

EPSS Score

CWE

CWE-400

Published

9/21/2022

Updated

1/7/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4qw4-jpp4-8gvp

GHSA-4qw4-jpp4-8gvp: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.6

Workarounds

Disable use of the autolink extension.

References

https://github.com/gjtorikian/commonmarker/pull/190 https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Open an issue in github/cmark-gfm

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4qw4-jpp4-8gvp

EPSS Score

CWE

CWE-400

Published

9/21/2022

Updated

1/7/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
commonmarker	rubygems	< 0.23.6	0.23.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from cmark-gfm's autolink processing implementation. Key indicators:

The workaround suggests disabling autolink extension
The CWE-400 classification indicates algorithmic complexity issues
The patch involved updating to a cmark-gfm commit that specifically addresses autolink handling
Autolink parsing traditionally involves pattern scanning which is prone to quadratic complexity with nested loops
The reference to 'polynomial time complexity' strongly suggests functions with nested input-dependent loops
Historical context of similar vulnerabilities in markdown parsers often points to URI/email autolink handlers as hotspots for regex/scanning inefficiencies

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ommonM*rk*r us*s `*m*rk-**m` *or r*n**rin* [*it*u* *l*vor** M*rk*own](*ttps://*it*u*.*it*u*.*om/**m/). * polynomi*l tim* *ompl*xity issu* in *m*rk-**m's *utolink *xt*nsion m*y l*** to un*oun*** r*sour** *x**ustion *n* su*s*qu*nt **ni*l o

Reasoning

T** vuln*r**ility st*ms *rom *m*rk-**m's *utolink pro**ssin* impl*m*nt*tion. K*y in*i**tors: *. T** work*roun* su***sts *is**lin* *utolink *xt*nsion *. T** *W*-*** *l*ssi*i**tion in*i**t*s *l*orit*mi* *ompl*xity issu*s *. T** p*t** involv** up**tin*

N/A

Basic Information

Concerned about an active attack path?

GHSA-4qw4-jpp4-8gvp: Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

Patches

Workarounds

References

For more information

Acknowledgements

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI