GHSA-48wp-p9qv-4j64: 
Ruby vulnerability analysis and mitigation

Several quadratic complexity bugs were discovered in Commonmarker's underlying cmark-gfm library that could lead to unbounded resource exhaustion and subsequent denial of service. The vulnerability affects Commonmarker versions below 0.23.9 and was disclosed on April 11, 2023. The issue encompasses two CVEs (CVE-2023-24824 and CVE-2023-26485) related to polynomial time complexity issues (GitHub Advisory).

The vulnerability involves multiple quadratic complexity issues in the cmark-gfm library. Two specific proof-of-concept examples demonstrate the issues: 1) Using the pattern '>' followed by 'a*' repeated n times, and 2) Using the pattern ' -' repeated n times followed by 'x' and newlines. In both cases, increasing the input size causes the running time to increase quadratically. The issues affect various output formats including plaintext, commonmark, XML, and man page formats (GHSA-66g8-4hjf-77xh, GHSA-r8vr-c48j-fcc5).

The vulnerability can lead to unbounded resource exhaustion and subsequent denial of service when processing specially crafted markdown input. The quadratic complexity issues can cause significant performance degradation when processing large inputs, potentially affecting system resources and availability (GitHub Advisory).

Users are advised to upgrade to Commonmarker version 0.23.9, which includes patches for these vulnerabilities. The fixes were implemented in the underlying cmark-gfm library versions 0.29.0.gfm.10 and 0.29.0.gfm.11 (GitHub Advisory).