CVE-2024-21503

2024-03-1905:15:09

Debian Security Bug Tracker

security-tracker.debian.org

black package

regular expression denial of service

malicious input

denial of service

untrusted input

leading tab characters

security vulnerability

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

Percentile

15.5%

JSON

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

OSVersionArchitecturePackageVersionFilename
Debian12allblack<= 23.1.0-1black_23.1.0-1_all.deb
Debian11allblack<= 20.8b1-4black_20.8b1-4_all.deb
Debian999allblack< 24.4.0-1black_24.4.0-1_all.deb
Debian13allblack< 24.4.0-1black_24.4.0-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	black	<= 23.1.0-1	black_23.1.0-1_all.deb
Debian	11	all	black	<= 20.8b1-4	black_20.8b1-4_all.deb
Debian	999	all	black	< 24.4.0-1	black_24.4.0-1_all.deb
Debian	13	all	black	< 24.4.0-1	black_24.4.0-1_all.deb