Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
Weakness
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mako | Sqlalchemy | * | 1.2.2 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | python-mako-0:1.0.6-14.el8 | * |
| Red Hat Enterprise Linux 9 | RedHat | python-mako-0:1.1.4-6.el9 | * |
| Mako | Ubuntu | bionic | * |
| Mako | Ubuntu | devel | * |
| Mako | Ubuntu | esm-infra-legacy/xenial | * |
| Mako | Ubuntu | esm-infra/bionic | * |
| Mako | Ubuntu | esm-infra/focal | * |
| Mako | Ubuntu | esm-infra/xenial | * |
| Mako | Ubuntu | focal | * |
| Mako | Ubuntu | jammy | * |
| Mako | Ubuntu | kinetic | * |
| Mako | Ubuntu | lunar | * |
| Mako | Ubuntu | trusty | * |
| Mako | Ubuntu | upstream | * |
| Mako | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
- https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
- https://github.com/sqlalchemy/mako/issues/366
- https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
- https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
- https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
- https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
- https://github.com/sqlalchemy/mako/issues/366
- https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html
- https://lists.debian.org/debian-lts-announce/2025/12/msg00004.html
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
- https://pyup.io/vulnerabilities/CVE-2022-40023/50870/