<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
  <id>https://vulnerability.circl.lu/sightings/feed</id>
  <title>Most recent sightings.</title>
  <updated>2026-07-18T04:23:18.279707+00:00</updated>
  <author>
    <name>Vulnerability-Lookup</name>
    <email>info@circl.lu</email>
  </author>
  <link href="https://vulnerability.circl.lu" rel="alternate"/>
  <generator uri="https://lkiesow.github.io/python-feedgen" version="1.0.0">python-feedgen</generator>
  <subtitle>Contains only the most 10 recent sightings.</subtitle>
  <entry>
    <id>https://vulnerability.circl.lu/sighting/64aa3b7c-4a47-4e25-a3e9-cf7916512bbf/export</id>
    <title>64aa3b7c-4a47-4e25-a3e9-cf7916512bbf</title>
    <updated>2026-07-18T04:23:18.288332+00:00</updated>
    <author>
      <name>Automation user</name>
      <uri>https://vulnerability.circl.lu/user/automation</uri>
    </author>
    <content>{"uuid": "64aa3b7c-4a47-4e25-a3e9-cf7916512bbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-g75f-g53v-794x", "type": "seen", "source": "https://gist.github.com/alon710/5922ad26f6aa39fcda791f945c3402e2", "content": "# GHSA-G75F-G53V-794X: GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach\n\n&amp;gt; **CVSS Score:** 4.3\n&amp;gt; **Published:** 2026-06-16\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-G75F-G53V-794X\n\n## Summary\nAn uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.\n\n## TL;DR\nA ReDoS vulnerability in Bleach's email linkifier allows remote attackers to cause severe CPU exhaustion by submitting a 30KB payload of repeating dot-atom sequences, resulting in thread starvation and denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1333\n- **Attack Vector**: Network\n- **CVSS Score**: 4.3\n- **Impact**: Denial of Service (CPU Exhaustion)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- bleach Python package\n- **bleach**: &amp;lt;= 6.3.0 (Fixed in: `None (Deprecated)`)\n\n## Mitigation\n\n- Disable email parsing by ensuring `parse_email=False` when calling `bleach.linkify()`.\n- Implement a linear-time pre-filter check that verifies the presence of the `@` character before invoking the regular expression search.\n- Enforce maximum length limits on user-submitted text inputs to prevent long-running regular expression matches.\n- Construct a custom, bounded email regular expression and supply it to the Bleach Linker interface.\n\n**Remediation Steps:**\n1. Review codebases for instances of `bleach.linkify` and the `Linker` class where `parse_email` is set to `True`.\n2. Wrap the calls to `bleach.linkify` with a pre-filter function that validates input size and checks for the existence of an `@` character.\n3. If the codebase allows, migrate away from the deprecated `bleach` package to active, maintained alternatives such as `nh3`.\n\n## References\n\n- [GitHub Security Advisory GHSA-G75F-G53V-794X](https://github.com/advisories/GHSA-G75F-G53V-794X)\n- [Mozilla Bleach Security Advisories Archive](https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x)\n- [Mozilla Bleach GitHub Repository](https://github.com/mozilla/bleach)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-G75F-G53V-794X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T16:41:37.000000Z"}</content>
    <link href="https://vulnerability.circl.lu/sighting/64aa3b7c-4a47-4e25-a3e9-cf7916512bbf/export"/>
    <published>2026-06-16T16:41:37+00:00</published>
  </entry>
</feed>
