I’m re-submitting #520612 after getting CVEs issued, as instructed in an automated email from November 17th.
Getting CVEs issued took a while, but here they are:
A service that takes Python snippets as payload, but doesn’t necessarily execute them, could possibly be caused to crash, leading to a denial of service. Examples of such services include online playgrounds for static analysis tools, syntax highlighting & formatting services, etc.
I didn’t copy-and-paste all the original details here; see the original issue ( #520612 ) for that.