CVE-2024-6232 — Regex Denial of Service in Software Foundation Cpython

CWE-1333 — Regex Denial of Service19 documents8 sources

Severity

7.5HIGHNVD

OSV5.3

EPSS

4.0%

top 11.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython Python

Timeline

PublishedSep 3

Latest updateSep 29

Description

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5python_software_foundation/cpython3.9.0 — 3.9.20+5

▶NVDpython/python3.9.0 — 3.9.20+5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

python2.7 regression↗2025-09-29

▶

OSV

python2.7 regresssions↗2024-11-22

▶

OSV

python2.7 vulnerabilities↗2024-11-19

▶

OSV

python2.7, python3.5 vulnerability↗2024-10-14

▶

OSV

python2.7, python3.5 vulnerability↗2024-10-01

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2025-05-06

▶

Ubuntu

Python vulnerabilities↗2024-11-19

▶

Ubuntu

Python vulnerabilities↗2024-09-19

▶

Ubuntu

Python vulnerabilities↗2024-09-16

▶

Microsoft

Regular-expression DoS when parsing TarFile headers↗2024-09-10

▶