GHSA-pq64-v7f5-gqh8
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pq64-v7f5-gqh8
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-pq64-v7f5-gqh8/GHSA-pq64-v7f5-gqh8.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pq64-v7f5-gqh8
- Aliases
- Published
- 2021-03-29T16:33:03Z
- Modified
- 2024-02-22T05:36:41.170318Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Pygments vulnerable to Regular Expression Denial of Service (ReDoS)
- Details
-
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-27291
- https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
- https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
- https://github.com/pygments/pygments
- https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ
- https://www.debian.org/security/2021/dsa-4878
- https://www.debian.org/security/2021/dsa-4889
Affected packages
PyPI / pygments
Package
- Name
- pygments
- View open source insights on deps.dev
- Purl
- pkg:pypi/pygments