CVE-2022-42964

NameCVE-2022-42964
DescriptionAn exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1024017

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pymatgen (PTS)bookworm2022.11.7+dfsg1-11vulnerable
sid, trixie2023.06.23+dfsg1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pymatgensource(unstable)2023.06.23+dfsg1-11024017

Notes

[bookworm] - pymatgen <no-dsa> (Minor issue)
https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/
https://github.com/materialsproject/pymatgen/issues/2755
Search for package or bug name: Reporting problems