CVE-2024-21503 – black

Package

Manager: pip
Name: black
Vulnerable Version: >=0 <24.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.0006 pctl0.18885

Details

Black vulnerable to Regular Expression Denial of Service (ReDoS) Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Metadata

Created: 2024-03-19T06:30:52Z
Modified: 2024-03-20T15:24:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-fj7x-q9j7-g6q6/GHSA-fj7x-q9j7-g6q6.json
CWE IDs: ["CWE-1333", "CWE-75"]
Alternative ID: GHSA-fj7x-q9j7-g6q6
Finding: F211
Auto approve: 1