{"id":"CVE-2021-27291","details":"In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.","aliases":["GHSA-pq64-v7f5-gqh8","PYSEC-2021-141"],"modified":"2026-04-09T07:38:48.759057Z","published":"2021-03-17T13:15:15.137Z","related":["ALSA-2021:4139","ALSA-2021:4150","ALSA-2021:4151","MGASA-2021-0218","MGASA-2021-0245","SUSE-SU-2021:3814-1","SUSE-SU-2021:3839-1","SUSE-SU-2021:3840-1","SUSE-SU-2021:3841-1","openSUSE-SU-2021:1521-1","openSUSE-SU-2021:3839-1","openSUSE-SU-2021:3841-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4878"},{"type":"ADVISORY","url":"https://www.debian.org/security/2021/dsa-4889"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html"},{"type":"FIX","url":"https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14"},{"type":"EVIDENCE","url":"https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pygments/pygments","events":[{"introduced":"f534f990331df660f5a5ea6947943e184672ac51"},{"fixed":"4d555d0fffc914a2a4ac9874416cdaaf8f8c9e74"},{"fixed":"2e7e8c4a7b318f4032493773732754e418279a14"}],"database_specific":{"versions":[{"introduced":"1.1"},{"fixed":"2.7.4"}]}}],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-27291.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}