pydantic is vulnerable to denial of service. An attacker is able to exploit the vulnerability by passing either infinity
, inf
or float(inf)
(or their negatives) to datetimeor
data` fields causing the validaton to run in loops with 100% CPU usage.
github.com/advisories/GHSA-5jqp-qgf6-3pvh
github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468
github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
lists.fedoraproject.org/archives/list/[email protected]/message/S2HT266L6Q7H6ICP7DFGXOGBJHNNKMKB/
lists.fedoraproject.org/archives/list/[email protected]/message/UEFWM7DYKD2ZHE7R5YT5EQWJPV4ZKYRB/
lists.fedoraproject.org/archives/list/[email protected]/message/UMKAJX4O6IGBBCE32CO2G7PZQCCQSBLV/