DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-G75F-G53V-794X: GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach

#security #cve #cybersecurity #ghsa

GHSA-G75F-G53V-794X: CPU Exhaustion via Unbounded Email Regular Expression Scanning in Bleach

Vulnerability ID: GHSA-G75F-G53V-794X
CVSS Score: 4.3
Published: 2026-06-16

An uncontrolled resource consumption vulnerability exists in the Python package Bleach when parsing text to linkify email addresses. When parse_email=True is enabled, the regular expression engine is forced into a quadratic-time complexity scan on specially crafted payloads lacking an '@' symbol. This causes immediate CPU exhaustion and blocks application server worker processes.

TL;DR

A ReDoS vulnerability in Bleach's email linkifier allows remote attackers to cause severe CPU exhaustion by submitting a 30KB payload of repeating dot-atom sequences, resulting in thread starvation and denial of service.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1333
  • Attack Vector: Network
  • CVSS Score: 4.3
  • Impact: Denial of Service (CPU Exhaustion)
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed

Affected Systems

  • bleach Python package
  • bleach: <= 6.3.0 (Fixed in: None (Deprecated))

Mitigation Strategies

  • Disable email parsing by ensuring parse_email=False when calling bleach.linkify().
  • Implement a linear-time pre-filter check that verifies the presence of the @ character before invoking the regular expression search.
  • Enforce maximum length limits on user-submitted text inputs to prevent long-running regular expression matches.
  • Construct a custom, bounded email regular expression and supply it to the Bleach Linker interface.

Remediation Steps:

  1. Review codebases for instances of bleach.linkify and the Linker class where parse_email is set to True.
  2. Wrap the calls to bleach.linkify with a pre-filter function that validates input size and checks for the existence of an @ character.
  3. If the codebase allows, migrate away from the deprecated bleach package to active, maintained alternatives such as nh3.

References

Read the full report for GHSA-G75F-G53V-794X on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)