CVE-2024-21503

EUVD-2024-0019

19.03.2024, 05:15

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Special Element Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 23%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
python_software_foundation	black	𝑥 < 24.3.0	ADP

Debian Releases

Debian Product

Codename

black

bookworm	ignored
bullseye	no-dsa
buster	postponed
forky	25.12.0-1 fixed
sid	25.12.0-1 fixed
trixie	25.1.0-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

black

focal	needs-triage
jammy	needs-triage
mantic	ignored
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage

Common Weakness Enumeration

References

https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8

https://github.com/psf/black/releases/tag/24.3.0

https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273

https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8

https://github.com/psf/black/releases/tag/24.3.0

https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273