CVE Vulnerabilities

CVE-2024-21503

Inefficient Regular Expression Complexity

Published: Mar 19, 2024 | Modified: Jun 17, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
Red Hat Ansible Automation Platform 2.4 for RHEL 8RedHatpython3x-black-0:22.8.0-2.el8ap*
Red Hat Ansible Automation Platform 2.4 for RHEL 9RedHatpython-black-0:22.8.0-2.el9ap*
BlackUbuntufocal*
BlackUbuntumantic*
BlackUbuntuoracular*
BlackUbuntuplucky*
BlackUbuntuquesting*

Potential Mitigations

References