Security Alert: cleo is vulnerable to Regular Expression Denial of Service (ReDoS)

redis / redis-om-python

Object mapping, and more, for Redis and Python

MIT License

1.12k stars 112 forks source link

Security Alert: cleo is vulnerable to Regular Expression Denial of Service (ReDoS) #426

Closed Tech-Dex closed 1 year ago

Tech-Dex commented 1 year ago

It seems like cleo==1.0.0a5 which is required by redis-om==0.1.0 has an issue.

chayim commented 1 year ago

Thanks for raising this issue!

redis-om-python does not have direct dependencies on cleo. However, upstream dependencies did exist. The cleo DDOS issue should not be impact this library given how it was being used (or specifically how set_rows isn't being used) and was previous identified/filtered in the dependency checks.

However PR #427 exists, and agreed, we should issue a new release as this occurs - to force dependency pinning!