The py.path.svnwc component of py (aka python-py) through v1.9.0 contains a regular expression with an ambiguous subpattern that is susceptible to catastrophic backtracing. This could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.