CVE-2022-40896
ReDoS vulnerability in pygments (PyPI)
What is CVE-2022-40896 About?
A Regular Expression Denial of Service (ReDoS) issue was discovered in `pygments/lexers/smithy.py` within Pygments until version 2.15.0. This can lead to a denial of service if an attacker can supply malicious input that triggers exponential backtracking in the SmithyLexer. Exploitation requires controlled input to the vulnerable lexer and can be relatively straightforward.
Affected Software
- pygments
- <2.15.1
- <2.15.0
Technical Details
The ReDoS vulnerability is located in the pygments/lexers/smithy.py file, specifically within the SmithyLexer component of the Pygments library. An attacker can craft a specially designed input string (e.g., a source code snippet or text) that, when processed by certain regular expressions defined within the SmithyLexer, triggers catastrophic backtracking within the regex engine. This excessive backtracking consumes significant computational resources, leading to a denial of service condition where the application becomes unresponsive or crashes.
What is the Impact of CVE-2022-40896?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness or crashes.
What is the Exploitability of CVE-2022-40896?
Exploitation of this ReDoS vulnerability requires an attacker to be able to provide malicious input that is processed by the SmithyLexer in Pygments. The complexity is moderate, as it involves crafting a specific input string that triggers the exponential backtracking. Authentication and privilege requirements depend on how the Pygments library and the SmithyLexer are integrated into the larger application; if parsing untrusted, unauthenticated input, the risk is higher. This could be a remote exploit if the application accepts and processes user-supplied text through the vulnerable lexer over a network. A key risk factor is any service that uses Pygments for syntax highlighting or parsing user-provided code/text without proper input sanitization or resource limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40896?
Available Upgrade Options
- pygments
- <2.15.0 → Upgrade to 2.15.0
- pygments
- <2.15.1 → Upgrade to 2.15.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pygments/pygments/commit/dd52102c38ebe78cd57748e09f38929fd283ad04
- https://pypi.org/project/Pygments/
- https://pypi.org/project/Pygments/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZGMXALE3HSP4OXC7UUWIKX3OXKZDTY3/
- https://pypi.org/project/Pygments
- https://github.com/pygments/pygments
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZO4BQCIY2S2KZYHERQMKURB7AHXDBO/
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VUZO4BQCIY2S2KZYHERQMKURB7AHXDBO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUZO4BQCIY2S2KZYHERQMKURB7AHXDBO
What are Similar Vulnerabilities to CVE-2022-40896?
Similar Vulnerabilities: CVE-2022-42965 , CVE-2023-24807 , CVE-2019-15806 , CVE-2018-18585 , CVE-2020-8174
