VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-xpbx-rea4-1kej

Essentials
Severities (17)
References (14)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-xpbx-rea4-1kej
Aliases	CVE-2022-39209
Summary	cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. In versions prior to 0.29.0.gfm.6 a polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service. Users may verify the patch by running `python3 -c 'print("![l"* 100000 + "\n")' \| ./cmark-gfm -e autolink`, which will resource exhaust on unpatched cmark-gfm but render correctly on patched cmark-gfm. This vulnerability has been patched in 0.29.0.gfm.6. Users are advised to upgrade. Users unable to upgrade should disable the use of the autolink extension.
Status	Published
Exploitability	0.5
Weighted Severity	6.8
Risk	3.4
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-400

Uncontrolled Resource Consumption

System	Score	Found at
cvssv3	6.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39209.json
epss	0.01405	https://api.first.org/data/v1/epss?cve=CVE-2022-39209
epss	0.01405	https://api.first.org/data/v1/epss?cve=CVE-2022-39209
epss	0.01405	https://api.first.org/data/v1/epss?cve=CVE-2022-39209
epss	0.01827	https://api.first.org/data/v1/epss?cve=CVE-2022-39209
cvssv3.1	7.5	https://en.wikipedia.org/wiki/Time_complexity
ssvc	Track	https://en.wikipedia.org/wiki/Time_complexity
cvssv3.1	7.5	https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
ssvc	Track	https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
cvssv3.1	7.5	https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
ssvc	Track	https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
cvssv3.1	7.5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/
cvssv3.1	7.5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/
cvssv3.1	7.5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/
ssvc	Track	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39209.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-39209
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39209
1020588		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020588
1034887		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034887
1034888		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034888
2128044		https://bugzilla.redhat.com/show_bug.cgi?id=2128044
9d57d8a23142b316282bdfc954cb0ecda40a8655		https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655
GHSA-cgh3-p57x-9q7q		https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/
JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/
Time_complexity		https://en.wikipedia.org/wiki/Time_complexity
UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS		https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/
USN-7319-1		https://usn.ubuntu.com/7319-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-39209.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://en.wikipedia.org/wiki/Time_complexity

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/ Found at https://en.wikipedia.org/wiki/Time_complexity

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/ Found at https://github.com/github/cmark-gfm/commit/9d57d8a23142b316282bdfc954cb0ecda40a8655

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/ Found at https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-04-23T15:51:25Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JIUCZN3PEKUCT2JQYQTYOVIJG2KSD6G7/

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JMGP65NANDVKPDMXMKYO2ZV2H2HZJY4P/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEAAAI4OULDYQ2TA3HOXH54PC3DCBFZS/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.80935
EPSS Score	0.01405
Published At	June 12, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:38:44.248721+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2022/39xxx/CVE-2022-39209.json	38.6.0