{"id":"CVE-2022-39209","summary":"Uncontrolled Resource Consumption in cmark-gfm","details":"cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print(\"![l\"* 100000 + \"\\n\")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.","aliases":["GHSA-cgh3-p57x-9q7q"],"modified":"2026-04-22T04:08:36.221349Z","published":"2022-09-15T00:00:00Z","database_specific":{"cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"fixed":"0.29.0.gfm.6"}]}],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39209.json"},"references":[{"type":"WEB","url":"https://en.wikipedia.org/wiki/Time_complexity"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39209.json"},{"type":"ADVISORY","url":"https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39209"},{"type":"FIX","url":"https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/github/cmark-gfm","events":[{"introduced":"0"},{"fixed":"9d57d8a23142b316282bdfc954cb0ecda40a8655"}],"database_specific":{"source":["CPE_FIELD","REFERENCES"],"cpe":"cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"0.29.0.gfm.6"}]}}],"versions":["0.27.1.gfm.2","0.27.1.gfm.3","0.27.1.gfm.4","0.28.0.gfm.10","0.28.0.gfm.11","0.28.0.gfm.5","0.28.0.gfm.6","0.28.0.gfm.7","0.28.0.gfm.8","0.28.0.gfm.9","0.28.3.gfm.12","0.28.3.gfm.13","0.28.3.gfm.14","0.28.3.gfm.15","0.28.3.gfm.16","0.28.3.gfm.17","0.28.3.gfm.18","0.28.3.gfm.19","0.28.3.gfm.20","0.29.0.gfm.0","0.29.0.gfm.1","0.29.0.gfm.2","0.29.0.gfm.3","0.29.0.gfm.4","0.29.0.gfm.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39209.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}