Closed kevinbackhouse closed 1 month ago
Thanks for fixing this. The slightly expanded regex is totally fine. Hopefully this keeps the CVE hunters with regex scanners at bay.
hi @aearly , Is this fix for the CVE-2024-39249? When will a new version be ready? Thanks.
Hi @aearly , can we expect a quick release for this fix?
Published in 3.2.6. Also note that this was an invalid, disputed CVE.
This fixes the ReDoS issue that was reported in #1975.
I couldn't find a way to fix the ReDoS without making minor changes to the behavior of the regex, so I've split this PR into two commits to show what I've done. The first commit simplifies the regex, but in a way that will make it match a superset of the strings that it matched before. The second commit fixes the ReDoS (in both regexes) without changing their behavior.