{"id":"CVE-2022-40023","details":"Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.","aliases":["GHSA-v973-fxgf-6xhp","PYSEC-2022-260"],"modified":"2026-04-02T08:13:40.542386Z","published":"2022-09-07T13:15:09.953Z","related":["ALSA-2023:2258","ALSA-2023:2893","MGASA-2022-0350","SUSE-SU-2022:3700-1","SUSE-SU-2022:3701-1","SUSE-SU-2022:3979-1","openSUSE-SU-2024:13610-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/12/msg00004.html"},{"type":"ADVISORY","url":"https://pyup.io/vulnerabilities/CVE-2022-40023/50870/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html"},{"type":"FIX","url":"https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c"},{"type":"FIX","url":"https://github.com/sqlalchemy/mako/issues/366"},{"type":"EVIDENCE","url":"https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/"},{"type":"EVIDENCE","url":"https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sqlalchemy/mako","events":[{"introduced":"0"},{"fixed":"5054cc07ce6a957143251d32a963b8e0e437457a"},{"fixed":"925760291d6efec64fda6e9dd1fd9cfbd5be068c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.2.2"}]}}],"versions":["rel_0_1_0","rel_0_1_1","rel_0_1_10","rel_0_1_2","rel_0_1_3","rel_0_1_4","rel_0_1_5","rel_0_1_6","rel_0_1_7","rel_0_1_8","rel_0_1_9","rel_0_2_0","rel_0_2_1","rel_0_2_2","rel_0_2_3","rel_0_2_4","rel_0_2_5","rel_0_3_0","rel_0_3_1","rel_0_3_2","rel_0_3_3","rel_0_3_4","rel_0_3_5","rel_0_3_6","rel_0_4_0","rel_0_4_1","rel_0_4_2","rel_0_5_0","rel_0_6_0","rel_0_6_1","rel_0_6_2","rel_0_7_0","rel_0_7_1","rel_0_7_2","rel_0_7_3","rel_0_8_0","rel_0_8_1","rel_0_9_0","rel_0_9_1","rel_1_0_0","rel_1_0_1","rel_1_0_10","rel_1_0_11","rel_1_0_12","rel_1_0_13","rel_1_0_14","rel_1_0_2","rel_1_0_3","rel_1_0_4","rel_1_0_5","rel_1_0_6","rel_1_0_7","rel_1_0_8","rel_1_0_9","rel_1_1_0","rel_1_1_1","rel_1_1_2","rel_1_1_3","rel_1_1_4","rel_1_1_5","rel_1_1_6","rel_1_2_0","rel_1_2_1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-40023.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}