CVE-2024-21503 Overview
CVE-2024-21503 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the Black Python code formatter in versions prior to 24.3.0. The vulnerability exists in the lines_with_leading_tabs_expanded function within the strings.py file. An attacker could exploit this vulnerability by crafting malicious input containing specially constructed strings with numerous leading tab characters, causing catastrophic backtracking in the regular expression engine and resulting in denial of service conditions.
Critical Impact
Processing untrusted Python code with vulnerable versions of Black could lead to service disruption through CPU exhaustion, particularly in CI/CD pipelines and automated code formatting workflows.
Affected Products
- Black Python Formatter versions prior to 24.3.0
- Python projects using Black for automated code formatting
- CI/CD pipelines integrating vulnerable Black versions
Discovery Timeline
- 2024-03-19 - CVE-2024-21503 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-21503
Vulnerability Analysis
This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity) and CWE-75 (Failure to Sanitize Special Elements into a Different Plane). The issue stems from a poorly optimized regular expression pattern used within the lines_with_leading_tabs_expanded() function. When processing input containing strings with thousands of leading tab characters—particularly within docstrings—the regex engine enters catastrophic backtracking, consuming excessive CPU resources and potentially rendering the formatting service unresponsive.
The attack vector is network-accessible, requiring no authentication or user interaction to exploit. However, exploitation requires the attacker to supply malicious Python code to be processed by Black, making scenarios involving untrusted input processing the primary concern.
Root Cause
The root cause lies in the FIRST_NON_WHITESPACE_RE regular expression pattern that was used to match whitespace and tab characters. The pattern \s*\t+\s*(\S) exhibited exponential time complexity when processing strings with specific combinations of tabs and whitespace characters, leading to algorithmic complexity attacks against the regex engine.
Attack Vector
The vulnerability can be exploited in any environment where Black processes untrusted Python code. Attack scenarios include:
- CI/CD Pipeline Attacks: Submitting malicious code through pull requests that trigger automated Black formatting
- Online Code Formatting Services: Web services offering Black formatting could be disrupted by malicious submissions
- Development Environments: Processing untrusted third-party code with embedded malicious strings
The following patch shows how the vulnerability was addressed by removing the problematic regular expression pattern:
STRING_PREFIX_RE: Final = re.compile(
r"^([" + STRING_PREFIX_CHARS + r"]*)(.*)$", re.DOTALL
)
-FIRST_NON_WHITESPACE_RE: Final = re.compile(r"\s*\t+\s*(\S)")
UNICODE_ESCAPE_RE: Final = re.compile(
r"(?P<backslashes>\\+)(?P<body>"
r"(u(?P<u>[a-fA-F0-9]{4})))" # Character with 16-bit hex value xxxx
Source: GitHub Commit f00093672628d212b8965a8993cee8bedf5fe9b8
Detection Methods for CVE-2024-21503
Indicators of Compromise
- Abnormally high CPU utilization on systems running Black formatter
- Black processes that hang or become unresponsive during code formatting operations
- Timeout errors in CI/CD pipelines during automated code formatting steps
- Python files containing suspicious strings with excessive leading tab characters in docstrings
Detection Strategies
- Implement dependency scanning to identify Black versions prior to 24.3.0 in project requirements
- Monitor CI/CD pipeline execution times for anomalous delays during formatting stages
- Use software composition analysis (SCA) tools to flag vulnerable Black package versions
- Review Python dependency files (requirements.txt, pyproject.toml, Pipfile) for vulnerable versions
Monitoring Recommendations
- Set up alerts for prolonged CPU spikes on development and CI/CD infrastructure
- Configure timeout thresholds for Black formatting operations to prevent indefinite hangs
- Implement logging for Black execution times to establish baselines and detect anomalies
- Monitor for process hangs or memory growth in formatting service containers
How to Mitigate CVE-2024-21503
Immediate Actions Required
- Upgrade Black to version 24.3.0 or later immediately
- Audit all projects and CI/CD configurations for Black version dependencies
- Implement input validation for any workflows processing untrusted Python code with Black
- Consider temporarily disabling automated Black formatting on untrusted code submissions until patched
Patch Information
The vulnerability has been addressed in Black version 24.3.0. The fix removes the problematic FIRST_NON_WHITESPACE_RE regular expression pattern and implements a more efficient algorithm for handling leading tabs in the lines_with_leading_tabs_expanded() function.
Patch details are available in the GitHub commit f00093672628d212b8965a8993cee8bedf5fe9b8 and the Black 24.3.0 release notes.
Workarounds
- Avoid running Black on untrusted or externally-sourced Python code
- Implement execution timeouts for Black processes to prevent indefinite CPU consumption
- Use containerized environments with resource limits for code formatting operations
- Sanitize input files by checking for excessive leading tab characters before formatting
# Upgrade Black to the patched version
pip install --upgrade black>=24.3.0
# Verify installed version
black --version
# Update requirements.txt to enforce minimum version
echo "black>=24.3.0" >> requirements.txt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
