cmark-gfm: resource exhaustion due to quadratic complexity in parser
cmark-gfm is GitHub's fork of cmark, a CommonMark
parsing and rendering library and program in C. A polynomial time
complexity issue in cmark-gfm may lead to unbounded resource exhaustion
and subsequent denial of service, due to quadratic complexity issues
when parsing text which leads with either large numbers of
> or - characters.
The Haskell cmark-gfm package bundles the C sources and was
affected by this issue. This fix was released in the upstream C package
at version 0.29.0.gfm.10. Version 0.2.6 of the
Haskell package adopted the fix (moving from 0.29.0.gfm.6
to 0.29.0.gfm.13). Packages that depend on
cmark-gfm should update to 0.2.6 or later.
Users unable to update should avoid processing data from untrusted sources or validate the input with other tools before using cmark-gfm to parse it.
Pandoc < 2.10.1 depended on cmark-gfm and
could be affected by this issue.
Info
- Published
- December 27, 2025
- Modified
- December 27, 2025
- CAPECs
- < none >
- CWEs
- 407
- Keywords
- dos, language-c, historical
- Aliases
- CVE-2023-24824, GHSA-66g8-4hjf-77xh
- Related
- < none >
- References
- [FIX] https://github.com/kivikakk/cmark-gfm-hs/commit/1359b8740c6b29dde0ad8f816531112b32eb8cbe
- [FIX] https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59
- [ADVISORY] https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
- [ADVISORY] https://nvd.nist.gov/vuln/detail/CVE-2023-24824
Affected
@hackage/cmark-gfm
- CVSS
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Versions
>=0.1.0 && <0.2.6- Declarations
- < none >