{"id":"CVE-2024-21503","details":"Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.\r\rExploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.","aliases":["GHSA-fj7x-q9j7-g6q6","PYSEC-2024-48"],"modified":"2026-03-15T22:48:24.425344Z","published":"2024-03-19T05:15:09.447Z","related":["CGA-2hv7-7prc-w99h","SUSE-SU-2024:2481-1","openSUSE-SU-2024:13783-1"],"references":[{"type":"WEB","url":"https://github.com/psf/black/releases/tag/24.3.0"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273"},{"type":"FIX","url":"https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/psf/black","events":[{"introduced":"0"},{"fixed":"552baf822992936134cbd31a38f69c8cfe7c0f05"},{"fixed":"f00093672628d212b8965a8993cee8bedf5fe9b8"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"24.3.0"}]}}],"versions":["18.3a0","18.3a1","18.3a2","18.3a3","18.3a4","18.4a0","18.4a1","18.4a2","18.4a3","18.4a4","18.5b0","18.5b1","18.6b0","18.6b1","18.6b2","18.6b3","18.6b4","18.9b0","19.10b0","19.3b0","20.8b0","20.8b1","21.10b0","21.11b0","21.11b1","21.12b0","21.4b0","21.4b1","21.4b2","21.5b0","21.5b1","21.5b2","21.6b0","21.7b0","21.8b0","21.9b0","22.1.0","22.10.0","22.12.0","22.3.0","22.6.0","22.8.0","23.1.0","23.10.0","23.10.1","23.11.0","23.12.0","23.12.1","23.3.0","23.7.0","23.9.0","23.9.1","24.1.0","24.1.1","24.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-21503.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}