CVE-2021-27291

Description

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

How to fix CVE-2021-27291

To remediate CVE-2021-27291, upgrade the affected package to a fixed version below.

• —upgrade to 2.5.2-r1 or later
• —upgrade to 1:1.35.2-1 or later
• —upgrade to 2.7.1+dfsg-2.1 or later
• —upgrade to 2.2.0+dfsg-1+deb9u2 or later
• —upgrade to 2.3.1+dfsg-1+deb10u2 or later
• —upgrade to 2.7.4 or later
• —upgrade to 2e7e8c4a7b318f4032493773732754e418279a14 or later

Is CVE-2021-27291 being exploited?

Low — EPSS is 3.4%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 2.5.2-r1
• from 0, < 1:1.35.2-1
• from 0, < 2.7.1+dfsg-2.1
• from 0, < 2.2.0+dfsg-1+deb9u2
• from 0, < 2.3.1+dfsg-1+deb10u2
• >= 1.1, < 2.7.4
• from 0, < 2e7e8c4a7b318f4032493773732754e418279a14 | >= 1.1, < 2.7.4

CVSS scores

References (17)

• ADVISORYgithub.com/advisories/GHSA-pq64-v7f5-gqh8
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-27291
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-27291
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-27291
• PATCH