CVE-2023-30608
Regular Expression Denial of Service (ReDoS) vulnerability in sqlparse (PyPI)
What is CVE-2023-30608 About?
The `sqlparse` Python module contains a Regular Expression Denial of Service (ReDoS) vulnerability in its SQL parser, introduced by commit `e75e358`. This flaw allows an attacker to provide a malicious SQL query that causes excessive processing time, leading to a denial of service. Exploitation is relatively easy if an attacker can submit arbitrary SQL queries for parsing.
Affected Software
- sqlparse
- <c457abd5f097dd13fb21543381e7cfafe7d31cfb
- >0.1.15, <0.4.4
Technical Details
The sqlparse module, a non-validating SQL parser for Python, is vulnerable to ReDoS due to a poorly constructed regular expression pattern. This regex, part of the SQL parsing logic, exhibits catastrophic backtracking when presented with specific, crafted input strings. When processing such an input, the regex engine explores an exponentially increasing number of paths, consuming excessive CPU resources and rendering the parsing operation extremely slow or unresponsive. This resource exhaustion results in a denial of service for any application using the affected sqlparse versions (before 0.4.4) to process untrusted SQL queries.
What is the Impact of CVE-2023-30608?
Successful exploitation may allow attackers to cause resource exhaustion and denial of service for applications that use the `sqlparse` library to parse SQL queries, severely impacting system availability.
What is the Exploitability of CVE-2023-30608?
Exploitation of this ReDoS vulnerability is of low complexity. An attacker needs to be able to provide a specially crafted SQL query to an application that utilizes the vulnerable sqlparse library. No authentication or elevated privileges are typically required. This vulnerability can be exploited remotely if the application takes SQL-like input from unauthenticated or untrusted users. The main constraint is the presence of the vulnerable sqlparse version (prior to 0.4.4) and the application's processing of untrusted SQL strings. The risk is significantly increased in applications that feature user-supplied query functionality or interactive SQL interfaces.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-30608?
Available Upgrade Options
- sqlparse
- <c457abd5f097dd13fb21543381e7cfafe7d31cfb → Upgrade to c457abd5f097dd13fb21543381e7cfafe7d31cfb
- sqlparse
- >0.1.15, <0.4.4 → Upgrade to 0.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
- https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
- https://github.com/andialbrecht/sqlparse
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
- https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
- https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html
- https://lists.debian.org/debian-lts-announce/2023/05/msg00017.html
- https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb
What are Similar Vulnerabilities to CVE-2023-30608?
Similar Vulnerabilities: CVE-2025-3933 , CVE-2021-42352 , CVE-2020-8174 , CVE-2022-31129 , CVE-2023-28155
