CVE-2024-4340
published 2024-04-30CVE-2024-4340: Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
3.21%
86.6th percentile
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sqlparse | < sqlparse 0.4.2-1+deb12u1 (bookworm) | sqlparse 0.4.2-1+deb12u1 (bookworm) |
| sqlparse_project | sqlparse | >= 0 < 0.4.1-1+deb11u1 | 0.4.1-1+deb11u1 |
| sqlparse_project | sqlparse | >= 0 < 0.4.2-1+deb12u1 | 0.4.2-1+deb12u1 |
| sqlparse_project | sqlparse | >= 0 < 0.5.0-1 | 0.5.0-1 |
| sqlparse_project | sqlparse | >= 0 < 0.5.0-1 | 0.5.0-1 |
| sqlparse_project | sqlparse | >= 0 < 0.5.0 | 0.5.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
SQL parse vulnerability
vendor_ubuntu·2024-05-13
CVE-2024-4340 SQL parse vulnerability
Title: SQL parse vulnerability
Summary: SQL parse could be made to denial of service if it received a specially crafted input.
It was discovered that SQL parse incorrectly handled certain nested lists.
An attacker could possibly use this issue to cause a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
sqlparse: parsing heavily nested list leads to denial of service
vendor_redhat·2024-04-30·CVSS 7.5
CVE-2024-4340 [HIGH] CWE-674 sqlparse: parsing heavily nested list leads to denial of service
sqlparse: parsing heavily nested list leads to denial of service
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
A flaw was found in sqlparse. This issue occurs in a heavily nested list in sqlparse.parse(), where a recursion error may be triggered, which can lead to a denial of service.
Package: python-sqlparse (Red Hat OpenShift Container Platform 4) - Will not fix
Package: python-sqlparse (Red Hat OpenStack Platform 16.1) - Not affected
Package: python-sqlparse (Red Hat OpenStack Platform 16.2) - Not affected
Package: python-sqlparse (Red Hat OpenStack Platform 18.0) - Affected
Debian
CVE-2024-4340: sqlparse - Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service d...
vendor_debian·2024·CVSS 7.5
CVE-2024-4340 [HIGH] CVE-2024-4340: sqlparse - Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service d...
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Scope: local
bookworm: resolved (fixed in 0.4.2-1+deb12u1)
bullseye: resolved (fixed in 0.4.1-1+deb11u1)
forky: resolved (fixed in 0.5.0-1)
sid: resolved (fixed in 0.5.0-1)
trixie: resolved (fixed in 0.5.0-1)
OSV
CVE-2024-4340: Passing a heavily nested list to sqlparse
osv·2024-04-30·CVSS 7.5
CVE-2024-4340 [HIGH] CVE-2024-4340: Passing a heavily nested list to sqlparse
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
GHSA
sqlparse parsing heavily nested list leads to Denial of Service
ghsa·2024-04-15
CVE-2024-4340 [HIGH] CWE-674 sqlparse parsing heavily nested list leads to Denial of Service
sqlparse parsing heavily nested list leads to Denial of Service
### Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
### Details + PoC
Running the following code will raise Maximum recursion limit exceeded exception:
```py
import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)
```
We expect a traceback of RecursionError:
```py
Traceback (most recent call last):
File "trigger_sqlparse_nested_list.py", line 3, in
sqlparse.parse('[' * 10000 + ']' * 10000)
File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py", line 30, in parse
return tuple(parsestream(sql, encoding))
File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py", line 36, in run
stmt = grouping.group(stmt)
File "/ho
OSV
sqlparse parsing heavily nested list leads to Denial of Service
osv·2024-04-15
CVE-2024-4340 [HIGH] sqlparse parsing heavily nested list leads to Denial of Service
sqlparse parsing heavily nested list leads to Denial of Service
### Summary
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
### Details + PoC
Running the following code will raise Maximum recursion limit exceeded exception:
```py
import sqlparse
sqlparse.parse('[' * 10000 + ']' * 10000)
```
We expect a traceback of RecursionError:
```py
Traceback (most recent call last):
File "trigger_sqlparse_nested_list.py", line 3, in
sqlparse.parse('[' * 10000 + ']' * 10000)
File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/__init__.py", line 30, in parse
return tuple(parsestream(sql, encoding))
File "/home/uriya/.local/lib/python3.10/site-packages/sqlparse/engine/filter_stack.py", line 36, in run
stmt = grouping.group(stmt)
File "/ho
No detection rules found.
Nuclei
sqlparse - Denial of Service
nuclei·CVSS 7.5
CVE-2024-4340 [HIGH] sqlparse - Denial of Service
sqlparse - Denial of Service
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
Template:
id: CVE-2024-4340
info:
name: sqlparse - Denial of Service
author: KoYejune0302,cheoljun99,sim4110,gy741
severity: high
description: |
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
impact: |
Attackers can cause denial of service by sending heavily nested lists to sqlparse.parse(), triggering RecursionError and making the application unresponsive.
remediation: |
Upgrade sqlparse to a version later than the affected releases that implements recursion depth limits.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
cvss-score: 7.5
cve-id: CVE-2024-4340
epss-score: 0.15953
arXiv
From CVE Entries to Verifiable Exploits: An Automated Multi-Agent Framework for Reproducing CVEs
arxiv_fulltext·2026-02-12
From CVE Entries to Verifiable Exploits: An Automated Multi-Agent Framework for Reproducing CVEs
From CVE Entries to Verifiable Exploits: \ Automated Multi-Agent Framework for Reproducing CVEs
Saad UllahCorresponding author
Boston University
[email protected]
Praneeth
Balasubramanian
UC Santa Barbara
[email protected]
Wenbo Guo
UC Santa Barbara
[email protected]
Amanda Burnett
Arizona State University
[email protected]
Hammond Pearce
UNSW Sydney
hammond.pearce@\ .edu.au
Christopher Kruegel
UC Santa Barbara
[email protected]
Giovanni Vigna
UC Santa Barbara
[email protected]
Gianluca Stringhini
Boston University
[email protected]
## Abstract
High-quality datasets of real-world vulnerabilities and their corresponding verifiable exploits are crucial resources in software security research. Yet such resources remain scarce, as their creation demands intensive manual effort a
Bugzilla
CVE-2024-4340 sqlparse: parsing heavily nested list leads to denial of service
bugzilla·2024-04-30·CVSS 7.5
CVE-2024-4340 [HIGH] CVE-2024-4340 sqlparse: parsing heavily nested list leads to denial of service
CVE-2024-4340 sqlparse: parsing heavily nested list leads to denial of service
Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
https://github.com/advisories/GHSA-2m57-hf25-phgg
https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03
https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/
Discussion:
Created python-sqlparse tracking bugs for this issue:
Affects: epel-all [bug 2278039]
Affects: fedora-all [bug 2278040]
---
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.4 for RHEL 9
Red Hat Ansible Automation Platform 2.4 for RHEL 8
Via RHSA-2024:3781 https://access.redhat.com/errata/RHSA-2024:3781
---
This issu
https://github.com/advisories/GHSA-2m57-hf25-phgghttps://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03https://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/https://github.com/advisories/GHSA-2m57-hf25-phgghttps://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03https://lists.debian.org/debian-lts-announce/2024/12/msg00022.htmlhttps://research.jfrog.com/vulnerabilities/sqlparse-stack-exhaustion-dos-jfsa-2024-001031292/
2024-04-30
Published