PT-2024-40232 · League Of Extraordinary Packages · League/Commonmark

Published

2024-12-09

·

Updated

2024-12-09

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions: league/commonmark versions prior to 2.6.0
Description: The issue is related to polynomial time complexity problems in the league/commonmark library, which can lead to unbounded resource exhaustion and denial of service. Malicious users can trigger inefficient code with carefully crafted Markdown inputs, potentially tying up all available CPU resources and/or PHP-FPM processes. This can result in denial of service for legitimate users.
Recommendations: For versions prior to 2.6.0, upgrade to version 2.6.0 as soon as possible. If you cannot upgrade, consider the following workarounds:
  • Set very low memory limit and max execution time PHP configurations to prevent runaway resource usage
  • Implement rate-limiting, bot protection, or other approaches to reduce the risk of simultaneous bad requests hitting your site
  • Limit the size of inputs fed into this library (specifically the max length of each line)
  • Limit the use of this library to trusted users

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-407

Related Identifiers

GHSA-C2PC-G5QF-RFRF

Affected Products

League/Commonmark