PT-2023-21857 · Comrak · Comrak

Philipturnbull

Published

2023-03-28

Updated

2023-04-29

CVE-2023-28626

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions comrak versions prior to 0.17.0

Description The issue concerns quadratic parsing problems in comrak, a CommonMark + GFM compatible Markdown parser and renderer written in rust. These problems can be exploited to craft denial-of-service attacks on services that use comrak to parse Markdown.

Recommendations For versions prior to 0.17.0, upgrade to version 0.17.0 to address the quadratic parsing issues. As a temporary workaround, consider restricting the use of comrak for parsing Markdown until the issue is resolved. Avoid using comrak to parse potentially malicious Markdown input until the issue is fixed.

Exploit

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2023-28626

GHSA-8HQF-XJWP-P67V

Affected Products

Comrak

PT-2023-21857 · Comrak · Comrak

CVE-2023-28626

Weakness Enumeration

Related Identifiers

Affected Products

References · 22