skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
August 12, 2022

GHSL-2021-111: ReDoS (Regular Expression Denial of Service) in Dependency Parser - CVE-2022-39280

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

Dependency Parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

Dependency Parser

Tested Version

0.5.0.4

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.

Vulnerability

The vulnerable regular expression is here.

Please follow these steps to reproduce the issue:

from dparse import parse, filetypes

content = """
-i http://0.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.00.',
"""

df = parse(content, file_type=filetypes.requirements_txt)

Impact

This issue may lead to a denial of service.

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-111 in any communication regarding this issue.