<?xml version='1.0' encoding='UTF-8'?>
<?xml-stylesheet href="/static/style.xsl" type="text/xsl"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/" version="2.0">
  <channel>
    <title>Most recent sightings.</title>
    <link>https://vulnerability.circl.lu</link>
    <description>Contains only the most 10 recent sightings.</description>
    <docs>http://www.rssboard.org/rss-specification</docs>
    <generator>python-feedgen</generator>
    <language>en</language>
    <lastBuildDate>Sat, 18 Jul 2026 02:53:10 +0000</lastBuildDate>
    <item>
      <title>64aa3b7c-4a47-4e25-a3e9-cf7916512bbf</title>
      <link>https://vulnerability.circl.lu/sighting/64aa3b7c-4a47-4e25-a3e9-cf7916512bbf/export</link>
      <description>{"uuid": "64aa3b7c-4a47-4e25-a3e9-cf7916512bbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-g75f-g53v-794x", "type": "seen", "source": "https://gist.github.com/alon710/5922ad26f6aa39fcda791f945c3402e2", "content": "# GHSA-G75F-G53V-794X: GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach\n\n&amp;gt; **CVSS Score:** 4.3\n&amp;gt; **Published:** 2026-06-16\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-G75F-G53V-794X\n\n## Summary\nAn uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.\n\n## TL;DR\nA ReDoS vulnerability in Bleach's email linkifier allows remote attackers to cause severe CPU exhaustion by submitting a 30KB payload of repeating dot-atom sequences, resulting in thread starvation and denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1333\n- **Attack Vector**: Network\n- **CVSS Score**: 4.3\n- **Impact**: Denial of Service (CPU Exhaustion)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- bleach Python package\n- **bleach**: &amp;lt;= 6.3.0 (Fixed in: `None (Deprecated)`)\n\n## Mitigation\n\n- Disable email parsing by ensuring `parse_email=False` when calling `bleach.linkify()`.\n- Implement a linear-time pre-filter check that verifies the presence of the `@` character before invoking the regular expression search.\n- Enforce maximum length limits on user-submitted text inputs to prevent long-running regular expression matches.\n- Construct a custom, bounded email regular expression and supply it to the Bleach Linker interface.\n\n**Remediation Steps:**\n1. Review codebases for instances of `bleach.linkify` and the `Linker` class where `parse_email` is set to `True`.\n2. Wrap the calls to `bleach.linkify` with a pre-filter function that validates input size and checks for the existence of an `@` character.\n3. If the codebase allows, migrate away from the deprecated `bleach` package to active, maintained alternatives such as `nh3`.\n\n## References\n\n- [GitHub Security Advisory GHSA-G75F-G53V-794X](https://github.com/advisories/GHSA-G75F-G53V-794X)\n- [Mozilla Bleach Security Advisories Archive](https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x)\n- [Mozilla Bleach GitHub Repository](https://github.com/mozilla/bleach)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-G75F-G53V-794X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T16:41:37.000000Z"}</description>
      <content:encoded>{"uuid": "64aa3b7c-4a47-4e25-a3e9-cf7916512bbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-g75f-g53v-794x", "type": "seen", "source": "https://gist.github.com/alon710/5922ad26f6aa39fcda791f945c3402e2", "content": "# GHSA-G75F-G53V-794X: GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach\n\n&amp;gt; **CVSS Score:** 4.3\n&amp;gt; **Published:** 2026-06-16\n&amp;gt; **Full Report:** https://cvereports.com/reports/GHSA-G75F-G53V-794X\n\n## Summary\nAn uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.\n\n## TL;DR\nA ReDoS vulnerability in Bleach's email linkifier allows remote attackers to cause severe CPU exhaustion by submitting a 30KB payload of repeating dot-atom sequences, resulting in thread starvation and denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1333\n- **Attack Vector**: Network\n- **CVSS Score**: 4.3\n- **Impact**: Denial of Service (CPU Exhaustion)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- bleach Python package\n- **bleach**: &amp;lt;= 6.3.0 (Fixed in: `None (Deprecated)`)\n\n## Mitigation\n\n- Disable email parsing by ensuring `parse_email=False` when calling `bleach.linkify()`.\n- Implement a linear-time pre-filter check that verifies the presence of the `@` character before invoking the regular expression search.\n- Enforce maximum length limits on user-submitted text inputs to prevent long-running regular expression matches.\n- Construct a custom, bounded email regular expression and supply it to the Bleach Linker interface.\n\n**Remediation Steps:**\n1. Review codebases for instances of `bleach.linkify` and the `Linker` class where `parse_email` is set to `True`.\n2. Wrap the calls to `bleach.linkify` with a pre-filter function that validates input size and checks for the existence of an `@` character.\n3. If the codebase allows, migrate away from the deprecated `bleach` package to active, maintained alternatives such as `nh3`.\n\n## References\n\n- [GitHub Security Advisory GHSA-G75F-G53V-794X](https://github.com/advisories/GHSA-G75F-G53V-794X)\n- [Mozilla Bleach Security Advisories Archive](https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x)\n- [Mozilla Bleach GitHub Repository](https://github.com/mozilla/bleach)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-G75F-G53V-794X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T16:41:37.000000Z"}</content:encoded>
      <guid isPermaLink="false">https://vulnerability.circl.lu/sighting/64aa3b7c-4a47-4e25-a3e9-cf7916512bbf/export</guid>
      <pubDate>Tue, 16 Jun 2026 16:41:37 +0000</pubDate>
    </item>
  </channel>
</rss>
