Regular Expression Denial of Service Vulnerability in Bleach by Mozilla
CVE-2020-6817

7.5HIGH

Key Information:

Vendor: Mozilla
Status: Mozilla Bleach
Vendor: CVE Published:; 16 February 2023

Summary

A vulnerability in the Bleach library could allow attackers to exploit the parsing behavior of style attributes, potentially leading to a regular expression denial of service. When the bleach.clean function is utilized with specific allowed tags and style attributes, it may trigger unbounded backtracking in the regex, resulting in significant performance degradation or application crashes. This vulnerability poses a risk in scenarios where untrusted input can be processed by the bleach.clean method with specified attributes.

Affected Version(s)

Mozilla Bleach < 3.1.4

References

https://github.com/mozilla/bleach/security/advisories/GHS...

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 16, 2023
Vulnerability Reserved
Jan 10, 2020