Skip to main content

Inefficient Regular Expression Complexity

CVE-2024-21503

Severity Medium
Score 5.3/10

Summary

The package black versions 21.4b0 through 24.2.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the "lines_with_leading_tabs_expanded" function in the "strings.py" file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial-of-service (DoS) attack. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • LOW

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Advisory Timeline

  • Published