PYSEC-2024-48

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/black/PYSEC-2024-48.yaml

Aliases

Published

2024-03-19T05:15:00Z

Modified

2024-03-20T15:41:52.204760Z

Details

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lineswithleadingtabsexpanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

References

Affected packages

PyPI / black

Package

Name: black

Affected ranges

Type: GIT
Repo: https://github.com/psf/black
Events: Introduced

0The exact introduced commit is unknown

Fixed

f00093672628d212b8965a8993cee8bedf5fe9b8

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

24.3.0

Affected versions

18.*

18.3a0

18.3a1

18.3a2

18.3a3

18.3a4

18.4a0

18.4a1

18.4a2

18.4a3

18.4a4

18.5b0

18.5b1

18.6b0

18.6b1

18.6b2

18.6b3

18.6b4

18.9b0

19.*

19.3b0

19.10b0

20.*

20.8b0

20.8b1

21.*

21.4b0

21.4b1

21.4b2

21.5b0

21.5b1

21.5b2

21.6b0

21.7b0

21.8b0

21.9b0

21.10b0

21.11b0

21.11b1

21.12b0

22.*

22.1.0

22.3.0

22.6.0

22.8.0

22.10.0

22.12.0

23.*

23.1a1

23.1.0

23.3.0

23.7.0

23.9.0

23.9.1

23.10.0

23.10.1

23.11.0

23.12.0

23.12.1

24.*

24.1a1

24.1.0

24.1.1

24.2.0