GHSA-c2pc-g5qf-rfrf: 
PHP vulnerability analysis and mitigation

A high severity vulnerability (GHSA-c2pc-g5qf-rfrf) was discovered in league/commonmark affecting versions prior to 2.6.0. The vulnerability involves multiple polynomial time complexity issues that could lead to unbounded resource exhaustion and subsequent denial of service. The issue was published on December 7, 2024, and affects the PHP Composer package league/commonmark (GitHub Advisory).

The vulnerability stems from several quadratic complexity bugs in the library's markdown parsing functionality. These issues can be triggered by carefully crafted Markdown inputs specifically designed to achieve worst-case performance scenarios. The vulnerability has a CVSS score of 7.5 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with low complexity and requires no privileges or user interaction (GitHub Advisory).

When exploited, these vulnerabilities can lead to denial of service conditions by exhausting system resources. Malicious users can send multiple specially crafted requests in parallel, potentially tying up all available CPU resources and/or PHP-FPM processes, which would prevent legitimate users from accessing the service (GitHub Advisory).

The vulnerability has been patched in version 2.6.0, and users are strongly encouraged to upgrade. For those unable to upgrade immediately, several workarounds are available: setting low memorylimit and maxexecution_time PHP configurations, implementing rate-limiting and bot protection, limiting input sizes (particularly the max length of each line), and restricting the library's use to trusted users only (GitHub Advisory).