Description
Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
Scores
CVSS v3
5.3
EPSS
0.0008
EPSS Percentile
23.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
CWE-75
Status
published
Products (2)
n/a/black
< 24.3.0
pypi/black
0 - 24.3.0PyPI
Published
Mar 19, 2024
Tracked Since
Feb 18, 2026