CVE-2024-21503

CVSS V2 None CVSS V3 None

Description

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Overview

CVE ID
CVE-2024-21503

Assigner
snyk

Vulnerability Status
PUBLISHED

Published Version
2024-03-19T05:00:01.474Z

Last Modified Date
2024-06-20T21:14:49.619Z

Weakness Enumerations

CWE	URL
CWE-1333	http://cwe.mitre.org/data/definitions/1333.html

References

Reference URL	Reference Tags
https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273
https://github.com/psf/black/releases/tag/24.3.0
https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-21503
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 15:31:53				Added to TrackCVE