CVE-2022-42964 — pymatgen is vulnerable to Regular Expression Denial of Service (ReDoS)

Description

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

How to fix CVE-2022-42964

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2022-42964 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
from 0, <= 2022.9.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42964
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-42964
PATCHgithub.com/materialsproject/pymatgen
WEBgithub.com/materialsproject/pymatgen/issues/2755
WEB