{"vulnerability": "ghsa-g75f-g53v-794x", "sightings": [{"uuid": "64aa3b7c-4a47-4e25-a3e9-cf7916512bbf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-g75f-g53v-794x", "type": "seen", "source": "https://gist.github.com/alon710/5922ad26f6aa39fcda791f945c3402e2", "content": "# GHSA-G75F-G53V-794X: GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach\n\n&gt; **CVSS Score:** 4.3\n&gt; **Published:** 2026-06-16\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-G75F-G53V-794X\n\n## Summary\nAn uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When `parse_email=True` is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.\n\n## TL;DR\nA ReDoS vulnerability in Bleach's email linkifier allows remote attackers to cause severe CPU exhaustion by submitting a 30KB payload of repeating dot-atom sequences, resulting in thread starvation and denial of service.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-1333\n- **Attack Vector**: Network\n- **CVSS Score**: 4.3\n- **Impact**: Denial of Service (CPU Exhaustion)\n- **Exploit Status**: Proof of Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- bleach Python package\n- **bleach**: &lt;= 6.3.0 (Fixed in: `None (Deprecated)`)\n\n## Mitigation\n\n- Disable email parsing by ensuring `parse_email=False` when calling `bleach.linkify()`.\n- Implement a linear-time pre-filter check that verifies the presence of the `@` character before invoking the regular expression search.\n- Enforce maximum length limits on user-submitted text inputs to prevent long-running regular expression matches.\n- Construct a custom, bounded email regular expression and supply it to the Bleach Linker interface.\n\n**Remediation Steps:**\n1. Review codebases for instances of `bleach.linkify` and the `Linker` class where `parse_email` is set to `True`.\n2. Wrap the calls to `bleach.linkify` with a pre-filter function that validates input size and checks for the existence of an `@` character.\n3. If the codebase allows, migrate away from the deprecated `bleach` package to active, maintained alternatives such as `nh3`.\n\n## References\n\n- [GitHub Security Advisory GHSA-G75F-G53V-794X](https://github.com/advisories/GHSA-G75F-G53V-794X)\n- [Mozilla Bleach Security Advisories Archive](https://github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x)\n- [Mozilla Bleach GitHub Repository](https://github.com/mozilla/bleach)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-G75F-G53V-794X) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-16T16:41:37.000000Z"}]}