Regular Expression Denial of Service in Mako Templates by SQLAlchemy
CVE-2022-40023

7.5HIGH

Key Information:

Vendor: Sqlalchemy
Status: Mako
Vendor: CVE Published:; 7 September 2022

What is CVE-2022-40023?

The Mako templating engine, used with SQLAlchemy, is susceptible to Regular Expression Denial of Service when utilizing the Lexer class for parsing. This vulnerability can lead to excessive resource consumption, resulting in performance degradation and potential denial of service in applications relying on Mako for template rendering. Affected versions include Mako before 1.2.2, with implications for projects utilizing this package, along with related plugins like babelplugin and linguaplugin. Best practices for mitigation involve upgrading to the patched version of Mako or applying recommended workarounds.

References

https://github.com/sqlalchemy/mako/issues/366

https://github.com/sqlalchemy/mako/commit/925760291d6efec...

https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 7, 2022
Vulnerability Reserved
Sep 6, 2022

CVE-2022-40023 Data

JSON

Sqlalchemy

What is CVE-2022-40023?

References

CVSS V3.1

Timeline