Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-3772

CVE-2024-3772: Pydantic Regular Expression DoS Vulnerability

CVE-2024-3772 is a regular expression denial of service vulnerability in Pydantic that allows attackers to cause DoS via crafted email strings. This post covers the technical details, affected versions, and mitigation.

Updated:

CVE-2024-3772 Overview

CVE-2024-3772 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting Pydantic, a popular Python data validation library. The vulnerability exists in versions prior to 2.4.0 and 1.10.13, where a crafted email string can trigger catastrophic backtracking in the regular expression engine, allowing remote attackers to cause denial of service conditions.

Critical Impact

Remote attackers can exhaust server resources by submitting specially crafted email strings, causing application unavailability without requiring authentication.

Affected Products

  • Pydantic versions prior to 2.4.0
  • Pydantic versions prior to 1.10.13
  • Fedora 38 (via bundled Pydantic package)

Discovery Timeline

  • 2024-04-15 - CVE-2024-3772 published to NVD
  • 2025-12-09 - Last updated in NVD database

Technical Details for CVE-2024-3772

Vulnerability Analysis

This vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity). The Pydantic library includes email validation functionality that relies on regular expressions to parse and validate email address formats. When processing certain maliciously crafted email strings, the regex engine enters a state of catastrophic backtracking, where the time complexity grows exponentially with input length.

The attack is network-accessible and requires no privileges or user interaction, making it particularly dangerous for web applications and APIs that accept email input from untrusted sources. While the vulnerability does not compromise data confidentiality or integrity, it can render affected services completely unavailable.

Root Cause

The root cause lies in an inefficient regular expression pattern used for email validation within Pydantic. The regex contains nested quantifiers or overlapping alternation groups that create ambiguous matching paths. When presented with input specifically designed to maximize these ambiguities, the regex engine must explore an exponentially growing number of possible matches before determining whether the input is valid.

Attack Vector

The attack exploits Pydantic's email validation by providing specially crafted email strings that trigger worst-case regex matching behavior. Since Pydantic is commonly used in web frameworks like FastAPI for request validation, an attacker can submit malicious payloads through any endpoint that validates email fields, causing the server to hang while processing the regex.

Applications are vulnerable if they use Pydantic's EmailStr type or email validators on user-controlled input. The attack does not require any authentication and can be executed remotely over the network. A single malicious request can consume significant CPU resources, and repeated requests can overwhelm application servers.

Detection Methods for CVE-2024-3772

Indicators of Compromise

  • Abnormally long request processing times on endpoints accepting email input
  • CPU utilization spikes correlated with incoming requests containing unusual email-like strings
  • Application timeouts or unresponsive worker processes
  • Request logs showing email fields with repetitive character patterns or unusually long local parts

Detection Strategies

  • Monitor application performance metrics for sudden increases in response latency on validation-heavy endpoints
  • Implement request timeout policies to prevent individual requests from consuming excessive resources
  • Deploy web application firewall (WAF) rules to detect and block email inputs with suspicious repetitive patterns
  • Configure application logging to capture and alert on regex execution timeouts

Monitoring Recommendations

  • Set up alerting for CPU utilization anomalies in application workers
  • Monitor request queue lengths for signs of thread pool exhaustion
  • Track average response times and alert when they exceed baseline thresholds
  • Review logs for repeated failed email validations with similar malformed patterns

How to Mitigate CVE-2024-3772

Immediate Actions Required

  • Upgrade Pydantic to version 2.4.0 or later for the 2.x branch
  • Upgrade Pydantic to version 1.10.13 or later for the 1.x branch
  • Audit applications to identify all endpoints that accept email input for validation
  • Implement request timeouts at the application or reverse proxy level

Patch Information

The Pydantic maintainers addressed this vulnerability in GitHub Pull Request #7360, which introduces a more efficient email validation approach. Fedora users should apply updates as announced in the Fedora Package Announcement.

Workarounds

  • Implement input length limits on email fields before they reach Pydantic validation
  • Use alternative email validation libraries with known-safe regex patterns as a temporary measure
  • Deploy rate limiting on endpoints that accept email input to slow potential DoS attacks
  • Configure application workers with execution timeouts to prevent indefinite hangs
bash
# Upgrade Pydantic to patched version
pip install --upgrade "pydantic>=2.4.0"

# Or for 1.x branch
pip install --upgrade "pydantic>=1.10.13"

# Verify installed version
pip show pydantic | grep Version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne