Workflow

PyPi: Sqlparse

CVE-2024-4340

Safety vulnerability ID: 67887

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Apr 30, 2024 Updated at Dec 10, 2024
Scan your Python projects for vulnerabilities →

Advisory

Sqlparse 0.5.0 addresses a potential denial of service (DoS) vulnerability related to recursion errors in deeply nested SQL statements. To mitigate this issue, the update replaces recursion errors with a general SQLParseError, improving the resilience and stability of the parsing process.

Affected package

sqlparse

Latest version: 0.5.3

A non-validating SQL parser.

Affected versions

Fixed versions

Vulnerability changelog

----------------------------

Notable Changes

* Drop support for Python 3.5, 3.6, and 3.7.
* Python 3.12 is now supported (pr725, by hugovk).
* IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion
error for deeply nested statements. Instead of recursion error a generic
SQLParseError is raised. See the security advisory for details:
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg
The vulnerability was discovered by uriyay-jfrog. Thanks for reporting!

Enhancements:

* Splitting statements now allows to remove the semicolon at the end.
Some database backends love statements without semicolon (issue742).
* Support TypedLiterals in get_parameters (pr649, by Khrol).
* Improve splitting of Transact SQL when using GO keyword (issue762).
* Support for some JSON operators (issue682).
* Improve formatting of statements containing JSON operators (issue542).
* Support for BigQuery and Snowflake keywords (pr699, by griffatrasgo).
* Support parsing of OVER clause (issue701, pr768 by r33s3n6).

Bug Fixes

* Ignore dunder attributes when creating Tokens (issue672).
* Allow operators to precede dollar-quoted strings (issue763).
* Fix parsing of nested order clauses (issue745, pr746 by john-bodley).
* Thread-safe initialization of Lexer class (issue730).
* Classify TRUNCATE as DDL and GRANT/REVOKE as DCL keywords (based on pr719
by josuc1, thanks for bringing this up!).
* Fix parsing of PRIMARY KEY (issue740).

Other

* Optimize performance of matching function (pr799, by admachainz).

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application