skip to content
Back to GitHub.com
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
September 9, 2021

GHSL-2021-123: ReDoS (Regular Expression Denial of Service) in Flask RESTX - CVE-2021-32838

Kevin Backhouse

Coordinated Disclosure Timeline

Summary

Flask RESTX contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

Flask RESTX

Tested Version

0.5.0

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the query here.

Vulnerability

The vulnerable regular expression is here.

To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:

import re

email_regex = re.compile(
    r"^" "(?P<local>[^@]*[^@.])" r"@" r"(?P<server>[^@]+(?:\.[^@]+)*)" r"$",
    re.IGNORECASE,
)

email_regex.match("foo@bar.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?@");

Impact

This issue may lead to a denial of service.

CVE

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-123 in any communication regarding this issue.