GHSA-73jc-5mrq-prw7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-73jc-5mrq-prw7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-73jc-5mrq-prw7/GHSA-73jc-5mrq-prw7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-73jc-5mrq-prw7
- Aliases
-
- CVE-2026-46374
- Published
- 2026-05-19T20:10:53Z
- Modified
- 2026-05-19T20:15:17.710200259Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser
- Details
-
Impact
In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion.
Patches
Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit.
Credit
Ori Nakar from Imperva Threat Research Team.
- Database specific
{ "cwe_ids": [ "CWE-400" ], "github_reviewed_at": "2026-05-19T20:10:53Z", "github_reviewed": true, "severity": "HIGH", "nvd_published_at": null }- References
Affected packages
PyPI / sqlfluff
Package
- Name
- sqlfluff
- View open source insights on deps.dev
- Purl
- pkg:pypi/sqlfluff
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.2.0
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.9
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.2.post1
0.3.2.post2
0.3.3
0.3.4
0.3.5
0.3.6
0.4.0a1
0.4.0a2
0.4.0a3
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.6.0a1
0.6.0a2
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0a1
0.7.0a2
0.7.0a3
0.7.0a5
0.7.0a8
0.7.0
0.7.1
0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.10.0
0.10.1
0.11.0
0.11.1
0.11.2
0.12.0
0.13.0
0.13.1
0.13.2
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
2.*
2.0.0a1
2.0.0a2
2.0.0a3
2.0.0a4
2.0.0a5
2.0.0a6
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
3.*
3.0.0a1
3.0.0a2
3.0.0a3
3.0.0a4
3.0.0a5
3.0.0a6
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.3.0
3.3.1
3.4.0
3.4.1
3.4.2
3.5.0
4.*
4.0.0a1
4.0.0a2
4.0.0a3
4.0.0
4.0.1.post1
4.0.3
4.0.4a1
4.0.4
4.1.0