Safety vulnerability ID: 39525
The information on this page was manually curated by our Cybersecurity Intelligence Team.
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the '_punctuation_re regex' operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
Latest version: 3.1.4
A very fast and expressive template engine.
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. See CVE-2020-28493.
MISC:https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20: https://github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
MISC:https://github.com/pallets/jinja/pull/1343: https://github.com/pallets/jinja/pull/1343
MISC:https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994: https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application