CVE-2019-19275: typed-ast Out-of-bounds Read
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.79282%
CWE
Published
12/2/2019
Updated
11/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
typed-ast | pip | >= 1.3.0, <= 1.3.1 | 1.3.2 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two locations in Python/ast.c
where array index bounds checks were missing after incrementing the index. The commit a4d7836
in CPython
and dc317ac
in typed_ast
explicitly add 'i < NCH(n)'
checks in these functions to prevent OOB reads. Both functions are directly referenced in the CVE description and patch diffs, with the vulnerability manifesting when parsing malformed argument lists.