CVE-2021-27291

moderate-risk
Published 2021-03-17

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Do I need to act?

~
3.4% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (5)

Pygments

Affected Vendors

Debian Fedoraproject Pygments

References (18)

Exploit https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
Patch https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e41827...
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://www.debian.org/security/2021/dsa-4878
Third Party Advisory https://www.debian.org/security/2021/dsa-4889
Exploit https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce
Patch https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e41827...
Mailing List https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
Mailing List https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://www.debian.org/security/2021/dsa-4878
Third Party Advisory https://www.debian.org/security/2021/dsa-4889
45
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 7/34 · Low
Exposure 12/34 · Low