CVE-2022-39280 – ReDoS issue in dparse (6th Oct 2022)

Preface: Python can be used to develop a wide variety of applications, including web applications, gaming applications, enterprise applications, ML applications, image processing, text processing, and more.

Background: When managing Python environments, one of the key concerns is dependency management. Dependencies are all of the software components required by your project in order for it to work as intended and avoid runtime errors.
The Python Package Index (PyPI) is a repository of software for the Python programming language.

  • PyPI helps you find and install software developed and shared by the Python community.
  • Package authors use PyPI to distribute their software. 
    Dependencies in Python are managed with pip and expressed in a metadata file called requirements.txt .

Vulnerability details: dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability.

Remedy:A patch has been applied in version 0.5.2, all the users are advised to upgrade to 0.5.2 as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.