CVE-2023-28631

Name of the Vulnerable Software and Affected Versions comrak versions prior to 0.17.0

Description The issue arises when a Comrak AST is constructed manually and then converted to HTML, as the HTML formatting code assumes the AST is well-formed. This assumption can be violated if the AST contains invalid UTF-8 data in its [u8] fields, potentially triggering several bugs. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.

Recommendations For versions prior to 0.17.0, upgrade to version 0.17.0 or later, which contains adjustments to the AST to store strings instead of unvalidated byte arrays. As a temporary workaround for users unable to upgrade, manually validate the UTF-8 correctness of all data when assigning to &[u8] and Vec<u8> fields in the AST.