CVE-2024-21503 : Versions of the package black before 24.3.0 are vulnerable to Regular Expression

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Published 2024-03-19 05:00:01

Updated 2024-07-03 01:46:42

Source Snyk

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2024-21503

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2024-21503

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 8 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-21503

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	Snyk	2024-03-19
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	N/A	N/A	RedHat-CVE-2024-21503	2024-03-19
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2024-21503

CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

The product does not adequately filter user-controlled input for special elements with control implications.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Assigned by: report@snyk.io (Secondary)

References for CVE-2024-21503

https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8

Fix catastrophic performance in lines_with_leading_tabs_expanded() (#… · psf/black@f000936 · GitHub
https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273

Regular Expression Denial of Service (ReDoS) in black | CVE-2024-21503 | Snyk
https://github.com/psf/black/releases/tag/24.3.0

Release 24.3.0 · psf/black · GitHub

Jump to

Vulnerability Details : CVE-2024-21503

Products affected by CVE-2024-21503

Exploit prediction scoring system (EPSS) score for CVE-2024-21503

CVSS scores for CVE-2024-21503

CWE ids for CVE-2024-21503

References for CVE-2024-21503