CVE-2020-28493
MEDIUMJinja2 < 2.11.3 - Uncontrolled Resource Consumption via _punctuation_re Regex
Title source: llmDescription
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
References (5)
Core 5
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
Broken Link x_refsource_misc
https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
Patch, Third Party Advisory x_refsource_misc
https://github.com/pallets/jinja/pull/1343
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202107-19
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4/
Scores
CVSS v3
5.3
EPSS
0.0355
EPSS Percentile
87.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-400
Status
published
Products (3)
fedoraproject/fedora
33
palletsprojects/jinja
< 2.11.3
pypi/Jinja2
0 - 2.11.3PyPI
Published
Feb 01, 2021
Tracked Since
Feb 18, 2026