DescriptionVersions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service. Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1067177

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
black (PTS)buster18.9b0-1-6vulnerable
trixie, sid24.4.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[bookworm] - black <no-dsa> (Minor issue)
[bullseye] - black <no-dsa> (Minor issue)
[buster] - black <postponed> (Minor issue; can be fixed in next update) (24.3.0)

Search for package or bug name: Reporting problems