CVE-2021-27291
python-pygments: ReDoS in multiple lexers
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
En pygments versión 1.1+, corregido en 2.7.4, los lexers usados para analizar unos lenguajes de programación dependen en gran medida en expresiones regulares. Algunas de las expresiones regulares presentan una complejidad exponencial o cúbica en el peor de los casos y son vulnerables a ReDoS. Al diseñar una entrada maliciosa, un atacante puede causar una denegación de servicio
A denial of service attack was discovered against pygments. Some of the regular expressions used to tokenise source code for highlighting have exponential complexity. A specially crafted input file could cause pygments to take effectively infinite time to parse, consuming CPU resources and denying access to the service.
Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Issues addressed include code execution, cross site scripting, denial of service, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-16 CVE Reserved
- 2021-03-17 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html | Mailing List |
|
| https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Pygments Search vendor "Pygments" | Pygments Search vendor "Pygments" for product "Pygments" | >= 1.1 < 2.7.4 Search vendor "Pygments" for product "Pygments" and version " >= 1.1 < 2.7.4" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||