CVE-2022-39209
CVE-2022-39209 is a high-severity vulnerability in Github Cmark-gfm with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-407.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 2% (74th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-407
- Affected product: Github Cmark-gfm
- Published:
- Last modified:
Description
cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Frequently asked questions
- What is CVE-2022-39209?
- cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' | ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
- How severe is CVE-2022-39209?
- CVE-2022-39209 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2022-39209 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (74th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-39209?
- CVE-2022-39209 primarily affects Github Cmark-gfm. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-39209?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-39209 published?
- CVE-2022-39209 was published on 2022-09-15 and last updated on 2026-06-17.
References
- https://en.wikipedia.org/wiki/Time_complexity
- https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
- https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/
Affected products (4)
- cpe:2.3:a:github:cmark-gfm:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
More vulnerabilities in Github Cmark-gfm
- CVE-2024-22051 — Critical (CVSS 9.8): CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result…
- CVE-2022-24724 — High (CVSS 8.8): cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3…
- CVE-2023-37463 — Medium (CVSS 6.4): cmark-gfm is an extended version of the C reference implementation of CommonMark, a rationalized version of Markdown…
- CVE-2023-26485 — Medium (CVSS 5.3): cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time…
- CVE-2023-24824 — Medium (CVSS 5.3): cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time…
- CVE-2023-22485 — Medium (CVSS 5.3): cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior…
All CVEs affecting Github Cmark-gfm →
Other CWE-407 vulnerabilities
- CVE-2026-58226 — High (CVSS 8.7): Inefficient Algorithmic Complexity vulnerability in elixir-mint hpax allows unauthenticated denial-of-service via…
- CVE-2026-54892 — High (CVSS 8.7): Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to…
- CVE-2026-59094 — High (CVSS 7.5): Pathway through 0.31.1, fixed in commit d09722e, document store applies a caller-supplied glob pattern to indexed…
- CVE-2026-53433 — High (CVSS 7.5): fzf is vulnerable to a Denial of Service (DoS) due to inefficient HTTP body processing in the --listen mode due to…
- CVE-2026-13311 — High (CVSS 7.5): shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator,…
- CVE-2026-48516 — High (CVSS 7.5): MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7,…