VDB
PYSEC-2021-141
PYSEC-2021-141
PUBLISHED
CVSS 8.199999809265137 HIGH
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
Risk Scores
CVSS v4.0
8.199999809265137
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | pygments | 0, 1.1, 1.1 |
Timeline
- Mar 17, 2021 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/ url
- https://github.com/advisories/GHSA-pq64-v7f5-gqh8 advisory
- https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce exploit
- https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 fix
- https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html advisory
- https://www.debian.org/security/2021/dsa-4878 advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html advisory
- https://www.debian.org/security/2021/dsa-4889 advisory