Homepage
About Snyk

Uncontrolled Recursion Affecting sqlparse package, versions [,0.5.0)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.07% (31st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-SQLPARSE-6615674
  • published 16 Apr 2024
  • disclosed 15 Apr 2024
  • credit uriyay-jfrog
Report a new vulnerability Found a mistake?

Introduced: 15 Apr 2024

CVE-2024-4340 Open this link in a new tab
CWE-674 Open this link in a new tab

How to fix?

Upgrade sqlparse to version 0.5.0 or higher.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion due to the parsing of heavily nested lists. An attacker can cause the application to crash by submitting a specially crafted list that triggers a RecursionError.

Note: The impact depends on the use, so anyone parsing a user input with sqlparse.parse() is affected.

PoC 


import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High
Expand this section

Red Hat

7.5 high
Expand this section

SUSE

7.5 high