2270236 – (CVE-2024-21503) CVE-2024-21503 psf/black: ReDoS via the lines_with_leading_tabs_expanded() function in strings.py file

Bug 2270236 (CVE-2024-21503) - CVE-2024-21503 psf/black: ReDoS via the lines_with_leading_tabs_expanded() function in strings.py file

Summary: CVE-2024-21503 psf/black: ReDoS via the lines_with_leading_tabs_expanded() fu...

Keywords:
Status:	NEW
Alias:	CVE-2024-21503
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2270238
Blocks:	2270240
TreeView+	depends on / blocked

Reported:	2024-03-19 07:37 UTC by TEJ RATHI
Modified:	2024-04-16 11:32 UTC (History)
CC List:	13 users (show)
Fixed In Version:	black 24.3.0
Doc Type:	If docs needed, set a value
Doc Text:	The python-black package is susceptible to a regular expression denial of service (ReDoS) vulnerability, found in the lines_with_leading_tabs_expanded() function within the strings.py file. This vulnerability could be exploited by running Black on untrusted input or by inserting numerous leading tab characters into docstrings. This flaw allows attackers to craft malicious input to trigger a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-03-19 07:37:20 UTC

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
https://github.com/psf/black/releases/tag/24.3.0
https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273

Comment 1 TEJ RATHI 2024-03-19 07:39:08 UTC

Created python-black tracking bugs for this issue:

Affects: fedora-all [bug 2270238]

Note You need to log in before you can comment on or make changes to this bug.