Regular Expression Denial of Service (ReDoS)
Vulnerable module: py
Introduced through: pytest@6.1.2
Detailed paths
Introduced through: HHS/TANF-app@HHS/TANF-app › pytest@6.1.2 › py@1.9.0
Overview
py is an a Python development support library.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The subpattern \d+\s*\S+ is ambiguous which makes the pattern subject to catastrophic backtracing given a string like "1" * 5000.
SVN blame output seems to always have at least one space between the revision number and the user name, so the ambiguity can be fixed by changing the * to +.
RonnyPfannschmidt
commented
3 years ago
Here is the issue from Snyk:
You can find a detailed explanation here