Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-30608

CVE-2023-30608: Sqlparse_project Sqlparse DOS Vulnerability

CVE-2023-30608 is a Denial of Service flaw in Sqlparse_project Sqlparse caused by a ReDoS-vulnerable regular expression. This vulnerability can lead to service disruption. This article covers technical details, affected versions, impact analysis, and mitigation strategies.

Updated:

CVE-2023-30608 Overview

CVE-2023-30608 is a Regular Expression Denial of Service (ReDoS) vulnerability in sqlparse, a non-validating SQL parser module for Python. The flaw resides in a regular expression used by the parser for string token recognition. The defective regex was introduced by commit e75e358 and remained until commit c457abd5f, which shipped in sqlparse 0.4.4. Attackers can supply crafted SQL input that triggers catastrophic backtracking, exhausting CPU resources and causing service unavailability. The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity).

Critical Impact

Remote attackers can submit malicious SQL strings to applications that parse user-supplied SQL with sqlparse, causing high CPU consumption and denial of service without authentication or user interaction.

Affected Products

  • sqlparse versions prior to 0.4.4
  • Debian Linux 10 (Buster) packages bundling sqlparse
  • Python applications and frameworks depending on vulnerable sqlparse releases (including Django ORM debug tooling)

Discovery Timeline

  • 2023-04-18 - CVE-2023-30608 published to NVD
  • 2023-04-18 - GitHub Security Advisory GHSA-rrm6-wvj7-cwh2 released and fix landed in sqlparse 0.4.4 via commit c457abd5f097dd13fb21543381e7cfafe7d31cfb
  • 2023-05 - Debian LTS published advisory for affected Debian 10 packages
  • 2024-12 - Additional Debian LTS announcement referencing the issue
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2023-30608

Vulnerability Analysis

The vulnerability is a ReDoS condition triggered by ambiguous alternation inside a regular expression that tokenizes single-quoted and double-quoted SQL string literals. The pre-patch regex contained the alternative \\\\ (an escaped backslash) alongside \\' and [^'], producing overlapping matches for the same input characters. When a regex engine evaluates a long, specially crafted input against this ambiguous pattern, it explores an exponential number of backtracking paths before failing. Any application that passes attacker-controllable SQL strings to sqlparse.parse(), format(), or split() becomes a denial-of-service target. Because parsing typically occurs server-side and runs synchronously, a single request can saturate a worker thread.

Root Cause

The root cause is the regular expression r"'(''|\\\\|\\'|[^'])*'" (and its double-quoted counterpart) defined in sqlparse/keywords.py. The \\\\ branch overlaps with [^'], creating multiple ways to match the same backslash sequence. Under crafted input, the engine performs exponential backtracking, classifying the pattern as inefficient under [CWE-1333].

Attack Vector

The attack vector is network-accessible whenever an application accepts SQL or SQL fragments from untrusted sources and feeds them to sqlparse. Examples include SQL formatting web services, ORM debug consoles, log parsers, business intelligence tooling, and database administration UIs. No authentication or privileges are required if the parsing endpoint is exposed.

python
# Vulnerable regex fragment removed by commit c457abd5f (sqlparse/keywords.py)
# Before (vulnerable):
(r"'(''|\\\\|\\'|[^'])*'", tokens.String.Single),
(r'"(""|\\\\|\\"|[^"])*"', tokens.String.Symbol),

# After (patched):
(r"'(''|\\'|[^'])*'", tokens.String.Single),
(r'"(""|\\"|[^"])*"', tokens.String.Symbol),
# Source: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb

The patch removes the redundant \\\\ alternative, eliminating the ambiguous backtracking path while preserving correct handling of escaped quotes.

Detection Methods for CVE-2023-30608

Indicators of Compromise

  • Python worker processes sustaining 100% CPU on a single core while handling SQL-parsing requests
  • HTTP requests or queue messages containing unusually long single-quoted or double-quoted SQL string literals with repeated backslashes
  • Application timeouts, gateway 502/504 errors, or thread-pool exhaustion correlated with calls into sqlparse.parse(), sqlparse.format(), or sqlparse.split()
  • Stack traces in crash dumps showing frames inside sqlparse/lexer.py or sqlparse/keywords.py

Detection Strategies

  • Inventory Python dependencies with pip list, SBOM tooling, or SCA scanners and flag any sqlparse build older than 0.4.4
  • Instrument the application to log per-request sqlparse execution time and alert when parsing exceeds a defined threshold (for example, 500 ms)
  • Add web application firewall rules to identify SQL input strings exceeding a reasonable length or containing high-density \\ sequences
  • Correlate spikes in process CPU time with concurrent inbound request payloads using EDR or APM telemetry

Monitoring Recommendations

  • Track CPU saturation, request latency, and worker queue depth on services that parse user-supplied SQL
  • Alert on repeated client requests that consistently trigger long parse durations from the same source IP or API key
  • Ingest application and WAF logs into a central data lake or SIEM to correlate ReDoS attempts across services and timeframes

How to Mitigate CVE-2023-30608

Immediate Actions Required

  • Upgrade sqlparse to version 0.4.4 or later in all Python environments, containers, and Lambda layers
  • Rebuild and redeploy container images that bundle the vulnerable library, then invalidate cached base images
  • Apply Debian security updates for Debian 10 systems using the LTS advisories referenced by the project
  • Audit application code paths that pass untrusted input to sqlparse and add input length limits as defense in depth

Patch Information

The fix is committed as c457abd5f097dd13fb21543381e7cfafe7d31cfb and released in sqlparse 0.4.4. See the GitHub Security Advisory GHSA-rrm6-wvj7-cwh2, the patch commit, and the Debian LTS announcement. Background on this vulnerability class is available in the OWASP ReDoS overview.

Workarounds

  • The upstream project states there are no known workarounds; upgrading is required
  • As a temporary compensating control, enforce strict input size limits (for example, reject SQL payloads larger than a few kilobytes) at the API gateway or WAF
  • Run SQL parsing in a subprocess or worker with a hard CPU-time limit using resource.setrlimit(RLIMIT_CPU, ...) to contain runaway parses
  • Rate-limit and authenticate any endpoint that exposes SQL parsing to external users
bash
# Upgrade sqlparse across Python environments
pip install --upgrade 'sqlparse>=0.4.4'

# Verify installed version
python -c "import sqlparse; print(sqlparse.__version__)"

# Debian 10 (LTS) package update
sudo apt-get update && sudo apt-get install --only-upgrade python3-sqlparse

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne