Legit Security Discovers “MarkdownTime”, A Vulnerability in Markdown Services Affecting GitHub, GitLab and Countless Others

Legit Security, a cyber security company with an enterprise platform that protects an organization’s software supply chain from attack and ensures secure application delivery, announced that it discovered an easy to exploit Denial-of-Service (DoS) vulnerability in Markdown libraries used by GitHub, GitLab and countless other applications using a popular markdown rendering service called commonmarker. Coined “MarkdownTime”, a vulnerable version of the commonmarker service allows an attacker to deploy a simple DoS attack that would shut down innumerable digital business services across the globe by disrupting their application development pipelines.

Markdown refers to creating formatted text using a plain text editor which is commonly found in software development tools and environments. A wide range of applications and projects implement these popular open source markdown libraries, such as the popular variant found in GitHub’s implementation – GFM (GitHub Flavored Markdown). In this case, Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a Denial-of-Service attack which could take down the service. After bringing this vulnerability to the attention of the GitHub security team, GitHub recognized the issue and posted a formal acknowledgement and fix which can be found here: CVE-2022-39209. It should be noted that many other tools and services may also be susceptible to the same vulnerability.

Recommended AI: Adelante Enhances Capabilities with Zendesk Setup Solution

“Open-source libraries are ubiquitous in modern software development, but when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code,” said Liav Caspi, CTO and co-founder of Legit Security. “When a library becomes popular and widespread, a vulnerability inside of it could potentially enable an attack on countless projects. Those attacks can include disruption of critical business services, such as crippling the software supply chain and the ability to release new business applications.”

This is exactly what the Legit Security research team saw with MarkdownTime: a copy of the vulnerable GFM implementation was found in commonmarker, the popular Ruby package implementing Markdown support, which has more than 1 million dependent repositories. The Legit Security team found implementations across several business critical source code management services, among them GitHub and GitLab. Using this exploit, an unauthenticated attacker can bring down entire software production pipelines and causing significant damage to organization’s digital business initiatives. Many other services beyond just software development environments may also be vulnerable to costly business disruption.

The Legit Security research team has disclosed this security issue to the maintainer of commonmarker, as well as to both GitHub and GitLab. All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use.

Recommended AI: Tacans Partners With Provenance Tags, Concordium Blockchain Based Anti-Counterfeiting Solution

[To share your insights with us, please write to sghosh@martechseries.com]