CVE-2021-27291

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

References

Affected packages

Git / github.com/pygments/pygments

Affected ranges

Type

GIT

Repo

https://github.com/pygments/pygments

Events

Introduced

f534f990331df660f5a5ea6947943e184672ac51

Fixed

4d555d0fffc914a2a4ac9874416cdaaf8f8c9e74

Fixed

2e7e8c4a7b318f4032493773732754e418279a14

Database specific

{
    "versions": [
        {
            "introduced": "1.1"
        },
        {
            "fixed": "2.7.4"
        }
    ]
}

Affected versions

1.*

1.1

1.1.1

1.2

1.2.1

1.2.2

1.3

1.3.1

1.4

1.5

1.6

1.6rc1

2.*

2.0

2.0.1

2.0.2

2.0rc1

2.1

2.1.1

2.1.2

2.1.3

2.2.0

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.7.0

2.7.1

2.7.2

2.7.3

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "10.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "33"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27291.json"