CVE-2023-28626

Quadratic runtime when parsing Markdown in comrak

Description

comrak is a CommonMark + GFM compatible Markdown parser and renderer written in rust. A range of quadratic parsing issues are present in Comrak. These can be used to craft denial-of-service attacks on services that use Comrak to parse Markdown. This issue has been addressed in version 0.17.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-047`

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.25%
Vendor Advisory github.com
Affected: kivikakk comrak
Published at:
Updated at:

References

Link Tags
https://github.com/kivikakk/comrak/security/advisories/GHSA-8hqf-xjwp-p67v vendor advisory
https://github.com/kivikakk/comrak/commit/ce795b7f471b01589f842dc09af38b025701178d patch
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PTWZWCT7KCX2KTXTLPUYZ3EHOONG4X46/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OUYME2VA555X6567H7ORIJQFN4BVGT6N/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VQ3UBC7LE4VPCMZBTADIBL353CH7CPVV/

Frequently Asked Questions

What is the severity of CVE-2023-28626?
CVE-2023-28626 has been scored as a medium severity vulnerability.
How to fix CVE-2023-28626?
To fix CVE-2023-28626, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-28626 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-28626 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-28626?
CVE-2023-28626 affects kivikakk comrak.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.