Cyber Resilience

CVE-2024-44337

Medium

Published: 15 October 2024

Published
15 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 5.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0404 88.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-44337 is a medium-severity an unspecified weakness vulnerability. Its CVSS base score is 5.1 (Medium).

Operationally, ranked in the top 11.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The package github.com/gomarkdown/markdown, a Go library for parsing Markdown text and rendering it as HTML, contains a denial-of-service vulnerability in versions prior to pseudoversion v0.0.0-20240729232818-a2a9c4f. A logical flaw in the paragraph function within parser/block.go allows specially crafted input to trigger an infinite loop, causing the consuming process to hang and exhaust resources. The issue received a CVSS v3.1 score of 5.1 reflecting local attack vector, low complexity, and limited impact to integrity and availability.

An attacker with the ability to supply Markdown content to an affected application can trigger the loop and induce a persistent denial-of-service condition. Because the library is commonly used to process untrusted user-supplied documents, any program that passes external Markdown through the parser without prior validation or resource limits is exposed.

The fix is contained in commit a2a9c4f76ef5a5c32108e36f7c47f8d310322252, which resolves the loop condition in the paragraph parser. Public references consist of the commit itself and a proof-of-concept repository demonstrating the triggering input. The associated EPSS score has remained low, reaching a peak of 0.0521 well after disclosure before receding to the current value of 0.0404.

EU & UK References

Vulnerability details

The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in the paragraph function of the parser/block.go file, which allowed a…

more

remote attacker to cause a denial of service (DoS) condition by providing a tailor-made input that caused an infinite loop, causing the program to hang and consume resources indefinitely. Submit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252` contains fixes to this problem.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References