RSEC-2023-8

cmark-gfm, GitHub's extended version of the CommonMark library in C, suffers from multiple vulnerabilities affecting versions prior to 0.29.0.gfm.12. Various issues, including polynomial time complexity in multiple components like autolink extension, handleclosebracket, and parsing of certain text patterns (leading >, -, _), may lead to unbounded resource exhaustion and denial of service. An out-of-bounds read in the validate_protocol function was also identified but is considered less harmful. Patches are available in versions 0.29.0.gfm.7, 0.29.0.gfm.10, and 0.29.0.gfm.12. Upgrading is advised, and users unable to upgrade should validate input from trusted sources.