CVE-2023-37463

Name of the Vulnerable Software and Affected Versions cmark-gfm versions prior to 0.29.0.gfm.12

Description cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown syntax with a spec. Three polynomial time complexity issues in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. The issues include polynomial time complexity in multiple components like autolink extension, handle close bracket, and parsing of certain text patterns (leading >, -, ). An out-of-bounds read in the validate protocol function was also identified.

Recommendations For versions prior to 0.29.0.gfm.12, upgrade to version 0.29.0.gfm.12 to patch the vulnerabilities. If upgrading is not possible, validate input from trusted sources to minimize the risk of exploitation. As a temporary workaround, consider restricting the use of the autolink extension, handle close bracket, and parsing of certain text patterns until a patch is available. Avoid using the validate protocol function until the issue is resolved.