Coordinated Disclosure Timeline
- 2021-08-31: Followed the instructions in their security policy and entered the details into this form.
- 2021-08-31: Received automated email from email@example.com after completing the form. Issue is tracked as
- 2021-11-30: Deadline expired.
- 2021-12-06: Posted a pull request to fix the bug: https://github.com/frappe/frappe/pull/15201
Frappe contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions.
The vulnerable regular expression is here.
To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:
- Run the code below with
import re re.match(r"^[\w][\w\'\-]*([ \w][\w\'\-]+)*$", "a'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0'0}")
This issue may lead to a denial of service.
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-122 in any communication regarding this issue.