Legit Security Discovers “MarkdownTime”, A Vulnerability in Markdown Services Affecting GitHub, GitLab and Countless Others

TEL AVIV, Israel, Jan. 19, 2023 (GLOBE NEWSWIRE) -- Legit Security, a cyber security company with an enterprise platform that protects an organization's software supply chain from attack and ensures secure application delivery, today announced that it discovered an easy to exploit Denial-of-Service (DoS) vulnerability in Markdown libraries used by GitHub, GitLab and countless other applications using a popular markdown rendering service called commonmarker. Coined “MarkdownTime”, a vulnerable version of the commonmarker service allows an attacker to deploy a simple DoS attack that would shut down innumerable digital business services across the globe by disrupting their application development pipelines. More information on the vulnerability and how to mitigate the risks are found on a technical disclosure blog found here.

Markdown refers to creating formatted text using a plain text editor which is commonly found in software development tools and environments. A wide range of applications and projects implement these popular open source markdown libraries, such as the popular variant found in GitHub’s implementation - GFM (GitHub Flavored Markdown). In this case, Legit Security researchers found that it was simple to trigger unbounded resource exhaustion leading to a Denial-of-Service attack which could take down the service. After bringing this vulnerability to the attention of the GitHub security team, GitHub recognized the issue and posted a formal acknowledgement and fix which can be found here: CVE-2022-39209. It should be noted that many other tools and services may also be susceptible to the same vulnerability.

“Open-source libraries are ubiquitous in modern software development, but when vulnerabilities emerge, they can be very difficult to track due to uncontrolled copies of the original vulnerable code,” said Liav Caspi, CTO and co-founder of Legit Security. “When a library becomes popular and widespread, a vulnerability inside of it could potentially enable an attack on countless projects. Those attacks can include disruption of critical business services, such as crippling the software supply chain and the ability to release new business applications.”

This is exactly what the Legit Security research team saw with MarkdownTime: a copy of the vulnerable GFM implementation was found in commonmarker, the popular Ruby package implementing Markdown support, which has more than 1 million dependent repositories. The Legit Security team found implementations across several business critical source code management services, among them GitHub and GitLab. Using this exploit, an unauthenticated attacker can bring down entire software production pipelines and causing significant damage to organization’s digital business initiatives. Many other services beyond just software development environments may also be vulnerable to costly business disruption.

The Legit Security research team has disclosed this security issue to the maintainer of commonmarker, as well as to both GitHub and GitLab. All of them have fixed the issues, but many more copies of this markdown implementation have been deployed and are in use. An in-depth description of MarkdownTime, along with information on how to protect organizations and projects, can be found in Legit Security’s blog.

Legit Security

Legit Security protects an organization's software supply chain from attack and ensures secure application delivery, governance and risk management from code to cloud. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments, and allow security issues to be prioritized based on context and business criticality to improve security team efficiency and effectiveness.

Media Contact
Tony Keller

Contact Data