CVE-2024-3772 Overview
CVE-2024-3772 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Pydantic, a popular Python data validation library. The vulnerability exists in versions prior to 2.4.0 and 1.10.13, where a crafted email string can trigger catastrophic backtracking in the regular expression engine, allowing remote attackers to cause denial of service conditions.
Critical Impact
Remote attackers can exhaust server resources by submitting specially crafted email strings, causing application unavailability without requiring authentication.
Affected Products
- Pydantic versions prior to 2.4.0
- Pydantic versions prior to 1.10.13
- Fedora 38 (via bundled Pydantic package)
Discovery Timeline
- 2024-04-15 - CVE-2024-3772 published to NVD
- 2025-12-09 - Last updated in NVD database
Technical Details for CVE-2024-3772
Vulnerability Analysis
This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The Pydantic library includes email validation functionality that relies on regular expressions to parse and validate email address formats. When processing certain maliciously crafted email strings, the regex engine enters a state of catastrophic backtracking, where the time complexity grows exponentially with input length.
The attack is network-accessible and requires no privileges or user interaction, making it particularly dangerous for web applications and APIs that accept email input from untrusted sources. While the vulnerability does not compromise data confidentiality or integrity, it can render affected services completely unavailable.
Root Cause
The root cause lies in an inefficient regular expression pattern used for email validation within Pydantic. The regex contains nested quantifiers or overlapping alternation groups that create ambiguous matching paths. When presented with input specifically designed to maximize these ambiguities, the regex engine must explore an exponentially growing number of possible matches before determining whether the input is valid.
Attack Vector
The attack exploits Pydantic's email validation by providing specially crafted email strings that trigger worst-case regex matching behavior. Since Pydantic is commonly used in web frameworks like FastAPI for request validation, an attacker can submit malicious payloads through any endpoint that validates email fields, causing the server to hang while processing the regex.
Applications are vulnerable if they use Pydantic's EmailStr type or email validators on user-controlled input. The attack does not require any authentication and can be executed remotely over the network. A single malicious request can consume significant CPU resources, and repeated requests can overwhelm application servers.
Detection Methods for CVE-2024-3772
Indicators of Compromise
- Abnormally long request processing times on endpoints accepting email input
- CPU utilization spikes correlated with incoming requests containing unusual email-like strings
- Application timeouts or unresponsive worker processes
- Request logs showing email fields with repetitive character patterns or unusually long local parts
Detection Strategies
- Monitor application performance metrics for sudden increases in response latency on validation-heavy endpoints
- Implement request timeout policies to prevent individual requests from consuming excessive resources
- Deploy web application firewall (WAF) rules to detect and block email inputs with suspicious repetitive patterns
- Configure application logging to capture and alert on regex execution timeouts
Monitoring Recommendations
- Set up alerting for CPU utilization anomalies in application workers
- Monitor request queue lengths for signs of thread pool exhaustion
- Track average response times and alert when they exceed baseline thresholds
- Review logs for repeated failed email validations with similar malformed patterns
How to Mitigate CVE-2024-3772
Immediate Actions Required
- Upgrade Pydantic to version 2.4.0 or later for the 2.x branch
- Upgrade Pydantic to version 1.10.13 or later for the 1.x branch
- Audit applications to identify all endpoints that accept email input for validation
- Implement request timeouts at the application or reverse proxy level
Patch Information
The Pydantic maintainers addressed this vulnerability in GitHub Pull Request #7360, which introduces a more efficient email validation approach. Fedora users should apply updates as announced in the Fedora Package Announcement.
Workarounds
- Implement input length limits on email fields before they reach Pydantic validation
- Use alternative email validation libraries with known-safe regex patterns as a temporary measure
- Deploy rate limiting on endpoints that accept email input to slow potential DoS attacks
- Configure application workers with execution timeouts to prevent indefinite hangs
# Upgrade Pydantic to patched version
pip install --upgrade "pydantic>=2.4.0"
# Or for 1.x branch
pip install --upgrade "pydantic>=1.10.13"
# Verify installed version
pip show pydantic | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
