CVE-2023-26485

Name of the Vulnerable Software and Affected Versions cmark-gfm versions prior to 0.29.0.gfm.10

Description A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This issue is caused by quadratic complexity when parsing text that leads with large numbers of characters. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

The issue can be exploited by parsing text with large numbers of characters, which can cause the program to consume excessive resources. The validate protocol function is also vulnerable to an out-of-bounds read, but this is considered less harmful.

Recommendations For versions prior to 0.29.0.gfm.10, upgrade to version 0.29.0.gfm.10 or later to resolve the issue. If upgrading is not possible, validate that input comes from trusted sources to minimize the risk of exploitation. As a temporary workaround, consider restricting the input of characters to prevent excessive resource consumption.