pysec-2024-48
Vulnerability from pysec
Published
2024-03-19 05:15
Modified
2024-03-19 11:18
Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Aliases


To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "black",
        "purl": "pkg:pypi/black"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "f00093672628d212b8965a8993cee8bedf5fe9b8"
            }
          ],
          "repo": "https://github.com/psf/black",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "24.3.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "18.3a0",
        "18.3a1",
        "18.3a2",
        "18.3a3",
        "18.3a4",
        "18.4a0",
        "18.4a1",
        "18.4a2",
        "18.4a3",
        "18.4a4",
        "18.5b0",
        "18.5b1",
        "18.6b0",
        "18.6b1",
        "18.6b2",
        "18.6b3",
        "18.6b4",
        "18.9b0",
        "19.10b0",
        "19.3b0",
        "20.8b0",
        "20.8b1",
        "21.10b0",
        "21.11b0",
        "21.11b1",
        "21.12b0",
        "21.4b0",
        "21.4b1",
        "21.4b2",
        "21.5b0",
        "21.5b1",
        "21.5b2",
        "21.6b0",
        "21.7b0",
        "21.8b0",
        "21.9b0",
        "22.1.0",
        "22.10.0",
        "22.12.0",
        "22.3.0",
        "22.6.0",
        "22.8.0",
        "23.1.0",
        "23.10.0",
        "23.10.1",
        "23.11.0",
        "23.12.0",
        "23.12.1",
        "23.1a1",
        "23.3.0",
        "23.7.0",
        "23.9.0",
        "23.9.1",
        "24.1.0",
        "24.1.1",
        "24.1a1",
        "24.2.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-21503"
  ],
  "details": "Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.\r\rExploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.",
  "id": "PYSEC-2024-48",
  "modified": "2024-03-19T11:18:50.379002+00:00",
  "published": "2024-03-19T05:15:00+00:00",
  "references": [
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273"
    },
    {
      "type": "WEB",
      "url": "https://github.com/psf/black/releases/tag/24.3.0"
    },
    {
      "type": "FIX",
      "url": "https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.