CVE-2024-21503
Black vulnerable to Regular Expression Denial of Service (ReDoS)
5.3
MEDIUM
CVSS 3.1
EPSS 0.08%
Description
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
How to fix CVE-2024-21503
To remediate CVE-2024-21503, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 24.3.0 or later
- —upgrade to f00093672628d212b8965a8993cee8bedf5fe9b8 or later
Is CVE-2024-21503 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0
- from 0, < 24.3.0
- from 0, < f00093672628d212b8965a8993cee8bedf5fe9b8 | from 0, < 24.3.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |