GHSA-fj7x-q9j7-g6q6

Suggest an improvement
Source
https://github.com/advisories/GHSA-fj7x-q9j7-g6q6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-fj7x-q9j7-g6q6/GHSA-fj7x-q9j7-g6q6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fj7x-q9j7-g6q6
Aliases
Published
2024-03-19T06:30:52Z
Modified
2024-07-03T21:30:43.913247Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Black vulnerable to Regular Expression Denial of Service (ReDoS)
Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lineswithleadingtabsexpanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Database specific
{
    "nvd_published_at": "2024-03-19T05:15:09Z",
    "cwe_ids": [
        "CWE-1333",
        "CWE-75"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-20T15:24:01Z"
}
References

Affected packages

PyPI / black

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
24.3.0

Affected versions

18.*

18.3a0
18.3a1
18.3a2
18.3a3
18.3a4
18.4a0
18.4a1
18.4a2
18.4a3
18.4a4
18.5b0
18.5b1
18.6b0
18.6b1
18.6b2
18.6b3
18.6b4
18.9b0

19.*

19.3b0
19.10b0

20.*

20.8b0
20.8b1

21.*

21.4b0
21.4b1
21.4b2
21.5b0
21.5b1
21.5b2
21.6b0
21.7b0
21.8b0
21.9b0
21.10b0
21.11b0
21.11b1
21.12b0

22.*

22.1.0
22.3.0
22.6.0
22.8.0
22.10.0
22.12.0

23.*

23.1a1
23.1.0
23.3.0
23.7.0
23.9.0
23.9.1
23.10.0
23.10.1
23.11.0
23.12.0
23.12.1

24.*

24.1a1
24.1.0
24.1.1
24.2.0