Allocation of Resources Without Limits or Throttling in sqlfluffrs | CVE-2026-46374

Q: How to fix?

Upgrade sqlfluffrs to version 4.2.0 or higher.

Introduced: 19 May 2026

NewCVE-2026-46374 (opens in a new tab) CWE-770 (opens in a new tab)

How to fix?

Upgrade sqlfluffrs to version 4.2.0 or higher.

Overview

sqlfluffrs is a The SQL Linter for Humans

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the Parser, ParseContext, and Rust parser match-tree handling in the parser components. An attacker can force excessive parse-tree growth by supplying unusually wide or expansive SQL that drives the parser to materialize an excessive number of nodes. This can exhaust CPU and memory during parsing and linting, causing the user’s SQL processing to stall or fail with an unhandled parse error.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Allocation of Resources Without Limits or Throttling Affecting sqlfluffrs package, versions [,4.2.0)

Severity

Do your applications use this vulnerable package?

Snyk Learn

Introduced: 19 May 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk