{"id":"PYSEC-2022-260","details":"Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.","aliases":["CVE-2022-40023","GHSA-v973-fxgf-6xhp"],"modified":"2026-03-11T07:48:04.135413Z","published":"2022-09-07T13:15:00Z","references":[{"type":"FIX","url":"https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c"},{"type":"WEB","url":"https://pyup.io/vulnerabilities/CVE-2022-40023/50870/"},{"type":"REPORT","url":"https://github.com/sqlalchemy/mako/issues/366"},{"type":"WEB","url":"https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-v973-fxgf-6xhp"}],"affected":[{"package":{"name":"mako","ecosystem":"PyPI","purl":"pkg:pypi/mako"},"ranges":[{"type":"GIT","repo":"https://github.com/sqlalchemy/mako","events":[{"introduced":"0"},{"fixed":"925760291d6efec64fda6e9dd1fd9cfbd5be068c"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.2"}]}],"versions":["0.1.0","0.1.1","0.1.10","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.4.0","0.4.1","0.4.2","0.5.0","0.6.0","0.6.1","0.6.2","0.7.0","0.7.1","0.7.2","0.7.3","0.8.0","0.8.1","0.9.0","0.9.1","1.0.0","1.0.1","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.2.0","1.2.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mako/PYSEC-2022-260.yaml"}}],"schema_version":"1.7.5"}