Homepage
About Snyk

Uncontrolled Recursion Affecting sqlparse package, versions [,0.5.0)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept
    EPSS 0.05% (15th percentile)
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-SQLPARSE-6615674
  • published 16 Apr 2024
  • disclosed 15 Apr 2024
  • credit uriyay-jfrog
Report a new vulnerability Found a mistake?

Introduced: 15 Apr 2024

New CVE-2024-4340 Open this link in a new tab
CWE-674 Open this link in a new tab

How to fix?

Upgrade sqlparse to version 0.5.0 or higher.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion due to the parsing of heavily nested lists. An attacker can cause the application to crash by submitting a specially crafted list that triggers a RecursionError.

Note: The impact depends on the use, so anyone parsing a user input with sqlparse.parse() is affected.

PoC 


import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)

References