FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

py-pygments -- multiple DoS vulnerabilities

Affected packages
py310-pygments < 2.7.4
py311-pygments < 2.7.4
py37-pygments < 2.7.4
py38-pygments < 2.7.4
py39-pygments < 2.7.4
py310-pygments-25 < 2.7.4
py311-pygments-25 < 2.7.4
py37-pygments-25 < 2.7.4
py38-pygments-25 < 2.7.4
py39-pygments-25 < 2.7.4


VuXML ID cdc685b5-1724-49a1-ad57-2eaab68e9cc0
Discovery 2021-03-17
Entry 2023-08-31

Red Hat reports:

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Ben Caller reports:

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions.

Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS.

By crafting malicious input, an attacker can cause a denial of service.


CVE Name CVE-2021-20270
CVE Name CVE-2021-27291