CVE-2022-42966 — cleo is vulnerable to Regular Expression Denial of Service (ReDoS)

Description

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.

How to fix CVE-2022-42966

To remediate CVE-2022-42966, upgrade the affected package to a fixed version below.

PyPI/cleo—upgrade to 2.0.0 or later
—upgrade to 2.0.0 or later

Is CVE-2022-42966 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.0.0
from 0, < 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (9)

ADVISORYgithub.com/advisories/GHSA-2p9h-ccw7-33gf
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-42966
PATCHgithub.com/python-poetry/cleo
WEBgithub.com/pypa/advisory-database/tree/main/vulns/cleo/PYSEC-2022-43178.yaml