CVE-2024-21503

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-21503

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21503.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-21503

Aliases

Downstream

DEBIAN-CVE-2024-21503

RHSA-2024:3781

SUSE-SU-2024:2481-1

UBUNTU-CVE-2024-21503

openSUSE-SU-2024:13783-1

Related

Published

2024-03-19T05:15:09Z

Modified

2025-10-21T17:34:13.829909Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

[none]

Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lineswithleadingtabsexpanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

References

Affected packages

Git / github.com/psf/black

Affected ranges

Type: GIT
Repo: https://github.com/psf/black
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

552baf822992936134cbd31a38f69c8cfe7c0f05

Fixed

f00093672628d212b8965a8993cee8bedf5fe9b8

Affected versions

18.*

18.3a0

18.3a1

18.3a2

18.3a3

18.3a4

18.4a0

18.4a1

18.4a2

18.4a3

18.4a4

18.5b0

18.5b1

18.6b0

18.6b1

18.6b2

18.6b3

18.6b4

18.9b0

19.*

19.10b0

19.3b0

20.*

20.8b0

20.8b1

21.*

21.10b0

21.11b0

21.11b1

21.12b0

21.4b0

21.4b1

21.4b2

21.5b0

21.5b1

21.5b2

21.6b0

21.7b0

21.8b0

21.9b0

22.*

22.1.0

22.10.0

22.12.0

22.3.0

22.6.0

22.8.0

23.*

23.1.0

23.10.0

23.10.1

23.11.0

23.12.0

23.12.1

23.3.0

23.7.0

23.9.0

23.9.1

24.*

24.1.0

24.1.1

24.2.0