CVE-2023-22486

Name of the Vulnerable Software and Affected Versions cmark-gfm versions prior to 0.29.0.gfm.12

Description The issue concerns a polynomial time complexity problem in multiple components, including the autolink extension, handle close bracket, and parsing of certain text patterns, which may lead to unbounded resource exhaustion and subsequent denial of service. An out-of-bounds read in the validate protocol function was also identified.

Recommendations For versions prior to 0.29.0.gfm.7, update to version 0.29.0.gfm.7 or later to resolve the issue. For versions prior to 0.29.0.gfm.10, update to version 0.29.0.gfm.10 or later to ensure all patches are applied. For versions prior to 0.29.0.gfm.12, update to version 0.29.0.gfm.12 to apply the latest security patches. As a temporary workaround, consider validating input from trusted sources if upgrading is not immediately possible.