CVE-2024-21503

Name
CVE-2024-21503
Description
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
report@snyk.io https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
report@snyk.io https://github.com/psf/black/releases/tag/24.3.0
report@snyk.io https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273

Match rules

CPE URI Source package Min version Max version
black >= 0 < 24.3.0
cpe:2.3:a:python_software_foundation:black:*:*:*:*:*:*:*:* black >= 0 < 24.3.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
black edge-community 24.3.0-r0 Michał Polański <michal@polanski.me> fixed
black 3.22-community 24.3.0-r0 None fixed
black 3.21-community 24.3.0-r0 None fixed
black 3.20-community 24.3.0-r0 None fixed
black 3.19-community 23.12.0-r0 Michał Polański <michal@polanski.me> fixed