CVE-2022-39209

Name of the Vulnerable Software and Affected Versions cmark-gfm versions prior to 0.29.0.gfm.6

Description A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users can verify the patch by running python3 -c 'print("![l"* 100000 + " ")' | ./cmark-gfm -e autolink, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm.

Recommendations To resolve the issue, users are advised to upgrade to version 0.29.0.gfm.6 or later. Users unable to upgrade should disable the use of the autolink extension as a temporary workaround.