py-bleach -- regular expression denial-of-service

Affected packages
py27-bleach < 3.1.4
py35-bleach < 3.1.4
py36-bleach < 3.1.4
py37-bleach < 3.1.4
py38-bleach < 3.1.4


VuXML ID 4c52ec3c-86f3-11ea-b5b4-641c67a117d8
Discovery 2019-03-09
Entry 2020-04-26

Bleach developers reports:

bleach.clean behavior parsing style attributes could result in a regular expression denial of service (ReDoS).

Calls to bleach.clean with an allowed tag with an allowed style attribute are vulnerable to ReDoS. For example, bleach.clean(..., attributes={'a': ['style']}).


CVE Name CVE-2020-6817
FreeBSD PR ports/245943