7.5

CVE-2022-40023

Exploit
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SqlalchemyMako Version < 1.2.2
DebianDebian Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.72% 0.747
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21
Third Party Advisory
Exploit
https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c
Patch
https://github.com/sqlalchemy/mako/issues/366
Patch
Issue Tracking
https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html
Third Party Advisory
Mailing List
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
Third Party Advisory
Exploit
https://pyup.io/vulnerabilities/CVE-2022-40023/50870/
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/12/msg00004.html