Vulnerability DatabaseCVE-2024-21503
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-21503
March 19, 2024
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Affected Packages
black (PYTHON):
Affected version(s) >=18.3a0 <24.3.0
Fix Suggestion:
Update to version 24.3.0
Related Resources (5)
https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
https://nvd.nist.gov/vuln/detail/CVE-2024-21503
https://github.com/psf/black/releases/tag/24.3.0
https://github.com/psf/black
https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.5
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
LOW
Exploit Maturity
PROOF-OF-CONCEPT
Weakness Type (CWE)
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-75
Inefficient Regular Expression Complexity
CWE-1333
EPSS
Base Score:
0.06