GHSL-2021-123: ReDoS (Regular Expression Denial of Service) in Flask RESTX - CVE-2021-32838

Coordinated Disclosure Timeline

• 2021-08-31: Created an issue asking for contact details.
• 2021-09-01: GHSA-3q6g-vf58-7m4g created.
• 2021-09-01: Issue fixed.
• 021-09-01: GHSA-3q6g-vf58-7m4g published.

Summary

Flask RESTX contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

Flask RESTX

Tested Version

0.5.0

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on Flask RESTX by following this link.

Vulnerability

The vulnerable regular expression is here.

To see that the regular expression is vulnerable, copy-paste it into a separate file as shown below:

• Run the code below with python3:

import re

email_regex = re.compile(
    r"^" "(?P<local>[^@]*[^@.])" r"@" r"(?P<server>[^@]+(?:\.[^@]+)*)" r"$",
    re.IGNORECASE,
)

email_regex.match("foo@bar.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?@");

Impact

This issue may lead to a denial of service.

CVE

• CVE-2021-32838

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-123 in any communication regarding this issue.