CVE-2024-44337
Published: 15 October 2024
Summary
CVE-2024-44337 is a medium-severity an unspecified weakness vulnerability. Its CVSS base score is 5.1 (Medium).
Operationally, ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The package github.com/gomarkdown/markdown, a Go library for parsing Markdown text and rendering it as HTML, contains a denial-of-service vulnerability in versions prior to pseudoversion v0.0.0-20240729232818-a2a9c4f. A logical flaw in the paragraph function within parser/block.go allows specially crafted input to trigger an infinite loop, causing the consuming process to hang and exhaust resources. The issue received a CVSS v3.1 score of 5.1 reflecting local attack vector, low complexity, and limited impact to integrity and availability.
An attacker with the ability to supply Markdown content to an affected application can trigger the loop and induce a persistent denial-of-service condition. Because the library is commonly used to process untrusted user-supplied documents, any program that passes external Markdown through the parser without prior validation or resource limits is exposed.
The fix is contained in commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, which resolves the loop condition in the paragraph parser. Public references consist of the commit itself and a proof-of-concept repository demonstrating the triggering input. The associated EPSS score has remained low, reaching a peak of 0.0521 well after disclosure before receding to the current value of 0.0404.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-3169
Vulnerability details
The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a…
more
remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.