{"id":"CVE-2022-40897","details":"Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.","aliases":["BIT-setuptools-2022-40897","GHSA-r9hx-vwmv-q579","PYSEC-2022-43012"],"modified":"2026-04-10T04:51:43.338477Z","published":"2022-12-23T00:15:13.987Z","related":["ALSA-2023:0835","ALSA-2023:0952","ALSA-2024:2985","ALSA-2024:2987","CGA-46gg-582c-cwr8","MGASA-2023-0219","SUSE-SU-2023:0091-1","SUSE-SU-2023:0093-1","SUSE-SU-2023:0094-1","SUSE-SU-2023:0159-1","SUSE-SU-2023:0202-1","SUSE-SU-2023:0223-1","SUSE-SU-2023:0402-1","SUSE-SU-2023:0403-1","SUSE-SU-2023:4517-1","SUSE-SU-2024:2435-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html"},{"type":"ADVISORY","url":"https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200"},{"type":"ADVISORY","url":"https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1"},{"type":"ADVISORY","url":"https://pyup.io/vulnerabilities/CVE-2022-40897/52495/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230214-0001/"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20240621-0006/"},{"type":"FIX","url":"https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/"},{"type":"FIX","url":"https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pypa/setuptools","events":[{"introduced":"0"},{"fixed":"a462cb5edb324dcc56f903524b742305e4087014"},{"fixed":"43a9c9bfa6aa626ec2a22540bea28d2ca77964be"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"65.5.1"}]}}],"versions":["v59.8.0","v60.0.0","v60.0.1","v60.0.2","v60.0.3","v60.0.4","v60.0.5","v60.1.0","v60.1.1","v60.10.0","v60.2.0","v60.3.0","v60.3.1","v60.4.0","v60.5.0","v60.5.1","v60.5.2","v60.5.3","v60.5.4","v60.6.0","v60.7.0","v60.7.1","v60.8.0","v60.8.1","v60.8.2","v60.9.0","v60.9.1","v60.9.2","v60.9.3","v61.0.0","v61.1.0","v61.1.1","v61.2.0","v61.3.0","v61.3.1","v62.0.0","v62.1.0","v62.2.0","v62.3.0","v62.3.1","v62.3.2","v62.3.3","v62.3.4","v62.4.0","v62.5.0","v62.6.0","v63.0.0","v63.1.0","v63.2.0","v63.3.0","v63.4.0","v63.4.1","v63.4.2","v63.4.3","v64.0.0","v64.0.1","v64.0.2","v64.0.3","v65.0.0","v65.0.1","v65.0.2","v65.1.0","v65.1.1","v65.2.0","v65.3.0","v65.4.0","v65.4.1","v65.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-40897.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}