{"id":"CVE-2022-39280","summary":"Regular expression denial of service in dparse","details":"dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.","aliases":["GHSA-8fg9-p83m-x5pq","PYSEC-2022-301"],"modified":"2026-04-10T04:51:16.415399Z","published":"2022-10-06T00:00:00Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39280.json","cwe_ids":["CWE-400"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/39xxx/CVE-2022-39280.json"},{"type":"ADVISORY","url":"https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39280"},{"type":"FIX","url":"https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"},{"type":"FIX","url":"https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pyupio/dparse","events":[{"introduced":"0"},{"fixed":"2bcf15b5493997d69cbc747cc6f7316bc543edc5"}]}],"versions":["0.1.0","0.1.1","0.2.0","0.2.1","0.3.0","0.4","0.4.1","0.5.0","0.5.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-39280.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}