CVE-2021-29510Infinite Loop in Pydantic

CWE-835Infinite Loop7 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 79.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Samuelcolvin PydanticPydanticDebian Pydantic+1 more
Timeline
PublishedMay 13
Latest updateDec 12

Description

Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(htt

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

CVEListV5samuelcolvin/pydantic< 1.6.2+2
debiandebian/pydantic< pydantic 1.7.4-1 (bookworm)
NVDpydantic/pydantic1.71.7.4+2
PyPIpydantic/pydantic1.81.8.2+2
Debianpydantic/pydantic< 1.7.4-1+3

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
pydantic vulnerability2023-12-12
OSV
CVE-2021-29510: Pydantic is a data validation and settings management using Python type hinting2021-05-13
OSV
Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic2021-05-13
GHSA
Use of "infinity" as an input to datetime and date fields causes infinite loop in pydantic2021-05-13

📋Vendor Advisories

2
Ubuntu
Pydantic vulnerability2023-12-12
Debian
CVE-2021-29510: pydantic - Pydantic is a data validation and settings management using Python type hinting....2021
CVE-2021-29510 — Infinite Loop in Samuelcolvin Pydantic | cvebase