Inefficient Regular Expression Complexity
CVE-2024-21503
Summary
The package black versions 21.4b0 through 24.2.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the "lines_with_leading_tabs_expanded" function in the "strings.py" file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial-of-service (DoS) attack. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- LOW
CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
References
Advisory Timeline
- Published