Skip to content
This repository has been archived by the owner on Nov 4, 2024. It is now read-only.

CVE-2024-21503 in psf/black #535

Open
alexdmccabe opened this issue Jul 1, 2024 · 0 comments
Open

CVE-2024-21503 in psf/black #535

alexdmccabe opened this issue Jul 1, 2024 · 0 comments

Comments

@alexdmccabe
Copy link

alexdmccabe commented Jul 1, 2024
edited
Loading

CVE-2024-21503

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

psf/black 24.3.0

This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
CVE-2024-21503.

psf/black is currently locked to 23.12.1 in poetry.lock.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@alexdmccabe