GHSA-xxmq-4vph-956w: Comrak vulnerable to production of excessive output when parsing Markdown (GHSL-2023-048)

March 28, 2023

comrak is vulnerable to the upstream cmark issue, “Issue revealed by fuzzer”. A large number of references in a markdown document can trigger an overly large response.

References

github.com/advisories/GHSA-xxmq-4vph-956w
github.com/commonmark/cmark/issues/354
github.com/kivikakk/comrak
github.com/kivikakk/comrak/commit/70f97f3ea4eae30ffbd1b94c764a3de2f1c41d2a
github.com/kivikakk/comrak/releases/tag/0.17.0
github.com/kivikakk/comrak/security/advisories/GHSA-xxmq-4vph-956w

Code Behaviors & Features

Detect and mitigate GHSA-xxmq-4vph-956w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →