CVE-2022-40023

7.5 HIGH

Published: September 07, 2022 Modified: December 03, 2025

Description

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21

Source: cve@mitre.org

Exploit Third Party Advisory

https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c

Source: cve@mitre.org

Patch

https://github.com/sqlalchemy/mako/issues/366

Source: cve@mitre.org

Issue Tracking Patch

https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html

Source: cve@mitre.org

Mailing List Third Party Advisory

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Source: cve@mitre.org

Exploit Third Party Advisory

https://pyup.io/vulnerabilities/CVE-2022-40023/50870/

Source: cve@mitre.org

Third Party Advisory

https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21