CVE-2021-27291 Overview
CVE-2021-27291 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Pygments, a popular Python syntax highlighting library used in numerous web applications, documentation tools, and code formatting systems. The vulnerability exists in versions 1.1 through 2.7.3, where multiple lexers contain regular expressions with exponential or cubic worst-case complexity that can be exploited to cause denial of service conditions.
Critical Impact
Attackers can craft malicious input that triggers catastrophic backtracking in vulnerable regular expressions, causing CPU exhaustion and denial of service in applications that process untrusted code for syntax highlighting.
Affected Products
- Pygments versions 1.1 through 2.7.3
- Debian Linux 9.0 and 10.0
- Fedora 32 and 33
Discovery Timeline
- 2021-03-17 - CVE-2021-27291 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-27291
Vulnerability Analysis
The vulnerability stems from the use of inefficient regular expressions within Pygments lexers. Regular expressions that contain certain patterns—such as nested quantifiers or overlapping alternations—can exhibit exponential time complexity when processing carefully crafted input strings. This type of vulnerability, known as ReDoS (Regular Expression Denial of Service), occurs when the regex engine enters a state of catastrophic backtracking.
In Pygments, multiple lexers used to parse various programming languages contain these problematic regex patterns. When an application using Pygments processes malicious input through an affected lexer, the regex engine can consume excessive CPU resources attempting to match the pattern, effectively freezing the application and causing denial of service.
Root Cause
The root cause is the presence of regular expressions with exponential or cubic worst-case complexity in Pygments lexers. These patterns are vulnerable to algorithmic complexity attacks. For example, in pygments/lexers/archetype.py, the original regex [+-]?(\d+)*\.\\d+%? contained a nested quantifier (\d+)* that could cause catastrophic backtracking.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can submit malicious code snippets to any application that uses Pygments for syntax highlighting—such as code paste services, documentation generators, or web forums with code formatting—causing the server to become unresponsive as it processes the malicious input.
The following patch demonstrates the fix applied to address one of the vulnerable regular expressions:
(r'P((\d*(\.\d+)?[YyMmWwDd]){1,3}(T(\d*(\.\d+)?[HhMmSs]){,3})?|'
r'T(\d*(\.\d+)?[HhMmSs]){,3})', Literal.Date),
(r'[+-]?(\d+\.\d*|\.\d+|\d+)[eE][+-]?\d+', Number.Float),
- (r'[+-]?(\d+)*\.\\d+%?', Number.Float),
+ (r'[+-]?\d*\.\d+%?', Number.Float),
(r'0x[0-9a-fA-F]+', Number.Hex),
(r'[+-]?\d+%?', Number.Integer),
],
Source: GitHub Commit Update
The CHANGES file documents the security fixes:
- Limit recursion with nesting Ruby heredocs (#1638)
- Fix a few inefficient regexes for guessing lexers
- Fix the raw token lexer handling of Unicode (#1616)
-- Revert a private API change in the HTML formatter (#1655) -- please note that private APIs remain subject to change!
+- Revert a private API change in the HTML formatter (#1655) --
+ please note that private APIs remain subject to change!
- Add Dracula theme style (#1636)
+- Fix several exponential/cubic-complexity regexes found by
+ Ben Caller/Doyensec (#1675)
Thanks to Google's OSS-Fuzz project for finding many of these bugs.
Source: GitHub Commit Update
Detection Methods for CVE-2021-27291
Indicators of Compromise
- Abnormally high CPU utilization on servers running Pygments-based syntax highlighting
- Application timeouts or unresponsiveness when processing specific code snippets
- Memory consumption spikes during code parsing operations
- Increased response latency for code formatting endpoints
Detection Strategies
- Monitor CPU and memory usage patterns on systems running applications that use Pygments for syntax highlighting
- Implement application-level request timeout monitoring to detect requests that take unusually long to process
- Deploy web application firewalls (WAF) with rate limiting to mitigate high-volume attack attempts
- Use dependency scanning tools to identify vulnerable Pygments versions in your software supply chain
Monitoring Recommendations
- Set up alerting for CPU utilization exceeding normal thresholds on application servers
- Monitor application response times and flag significant deviations from baseline performance
- Track Pygments-related processing times in application logs
- Implement request timeout enforcement at the application and infrastructure levels
How to Mitigate CVE-2021-27291
Immediate Actions Required
- Upgrade Pygments to version 2.7.4 or later immediately
- Audit applications and dependencies for use of vulnerable Pygments versions
- Implement request timeouts for code highlighting operations as a defense-in-depth measure
- Consider rate limiting on endpoints that accept code input for syntax highlighting
Patch Information
The vulnerability has been fixed in Pygments version 2.7.4. The fix addresses several exponential and cubic complexity regular expressions identified by Ben Caller of Doyensec. The security patch is available via the GitHub Commit Update. Additional security advisories have been published by Debian Security Advisory DSA-4878 and Debian Security Advisory DSA-4889.
Workarounds
- Implement strict input length limits for code submitted for syntax highlighting
- Set aggressive timeouts on code processing operations to prevent resource exhaustion
- Use process isolation or sandboxing for Pygments processing to contain potential DoS impacts
- Deploy rate limiting on code formatting endpoints to reduce attack surface
# Upgrade Pygments to the patched version
pip install --upgrade pygments>=2.7.4
# Verify installed version
pip show pygments | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
