{"id":"HSEC-2025-0007","summary":"cmark-gfm: resource exhaustion due to quadratic complexity in parser","details":"# cmark-gfm: resource exhaustion due to quadratic complexity in parser\n\n*cmark-gfm* is GitHub's fork of *cmark*, a CommonMark parsing and\nrendering library and program in C.  A polynomial time complexity\nissue in cmark-gfm may lead to unbounded resource exhaustion and\nsubsequent denial of service, due to quadratic complexity issues\nwhen parsing text which leads with either large numbers of `\u003e` or\n`-` characters.\n\nThe Haskell *cmark-gfm* package bundles the C sources and was\naffected by this issue.  This fix was released in the upstream C\npackage at version `0.29.0.gfm.10`.  Version `0.2.6` of the Haskell\npackage adopted the fix (moving from `0.29.0.gfm.6` to\n`0.29.0.gfm.13`).  Packages that depend on *cmark-gfm* should update\nto `0.2.6` or later.\n\nUsers unable to update should avoid processing data from untrusted\nsources or validate the input with other tools before using\n*cmark-gfm* to parse it.\n\nPandoc `\u003c 2.10.1` depended on *cmark-gfm* and could be affected by\nthis issue.\n","aliases":["CVE-2023-24824","GHSA-66g8-4hjf-77xh"],"modified":"2025-12-27T09:10:56.637331Z","published":"2025-12-27T08:58:56Z","database_specific":{"home":"https://github.com/haskell/security-advisories","repository":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export"},"references":[{"type":"FIX","url":"https://github.com/kivikakk/cmark-gfm-hs/commit/1359b8740c6b29dde0ad8f816531112b32eb8cbe"},{"type":"FIX","url":"https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59"},{"type":"ADVISORY","url":"https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-24824"}],"affected":[{"package":{"name":"cmark-gfm","ecosystem":"Hackage","purl":"pkg:hackage/cmark-gfm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0.1.0"},{"fixed":"0.2.6"}]}],"versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5"],"database_specific":{"source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2025/HSEC-2025-0007.json","human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2025/HSEC-2025-0007.md","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2025/HSEC-2025-0007.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.3"}