GHSA-xxmq-4vph-956w

Source

https://github.com/advisories/GHSA-xxmq-4vph-956w

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-xxmq-4vph-956w/GHSA-xxmq-4vph-956w.json

Published

2023-03-28T14:44:04Z

Modified

2023-03-28T14:44:04Z

Details

Impact

comrak is vulnerable to the upstream cmark issue, "Issue revealed by fuzzer". A large number of references in a markdown document can trigger an overly large response.

Patches

0.17.0 contains https://github.com/kivikakk/comrak/commit/70f97f3ea4eae30ffbd1b94c764a3de2f1c41d2a, which limits reference output to a 100Kb maximum.

Workarounds

n/a

References

• https://github.com/commonmark/cmark/issues/354

References

• https://github.com/kivikakk/comrak/security/advisories/GHSA-xxmq-4vph-956w
• https://github.com/commonmark/cmark/issues/354
• https://github.com/kivikakk/comrak/commit/70f97f3ea4eae30ffbd1b94c764a3de2f1c41d2a
• https://github.com/kivikakk/comrak
• https://github.com/kivikakk/comrak/releases/tag/0.17.0