GitHub Advisory DatabaseGHSA-FJ7X-Q9J7-G6Q6Black vulnerable to Regular Expression Denial of Service (ReDoS)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.
Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Affected configurations
References
github.com/advisories/GHSA-fj7x-q9j7-g6q6
github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
github.com/psf/black/releases/tag/24.3.0
github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml
nvd.nist.gov/vuln/detail/CVE-2024-21503
security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%