CVE-2023-22486 LOW

CVE-2023-22486: cmark-gfm Quadratic complexity bug in handle_close_bracket may lead to a denial of service

Vendor Github
Product cmark-gfm
Weakness CWE-400
Published January 24, 2023
Last update March 10, 2025

CVSS base score

3.5/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. Versions prior to 0.29.0.gfm.7 contain a polynomial time complexity issue in handle_close_bracket that may lead to unbounded resource exhaustion and subsequent denial of service. This vulnerability has been patched in 0.29.0.gfm.7.

Key dates

02Disclosure timeline

January 24, 2023 CVE published
March 10, 2025 Record updated