Miggo Logo
Miggo Vulnerability Database
CVE-2020-28493

CVE-2020-28493: Regular Expression Denial of Service (ReDoS) in Jinja2

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-28493
GHSA ID
GHSA-g3rq-g295-4j3m
EPSS Score
0.43241%
CWE
CWE-400
Published
3/19/2021
Updated
9/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
jinja2pip< 2.11.32.11.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

  1. The vulnerability documentation explicitly mentions the urlize filter as the attack vector.
  2. The commit diff shows removal of _simple_email_re and _punctuation_re regex patterns in utils.py, which were directly used by the urlize function.
  3. The patch modifies the email validation regex to a stricter pattern (r'^\S+@\w[\w.-]*.\w+$') and reworks punctuation handling to reduce backtracking.
  4. Multiple sources (CVE, GHSA, commit message) link the vulnerability to regex inefficiencies in urlize's email matching and punctuation processing logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T*is *****ts t** p**k*** jinj** *rom *.*.* *n* ***or* *.**.*. T** R**OS vuln*r**ility o* t** r***x is m*inly *u* to t** su*-p*tt*rn [*-z*-Z*-*._-]+.[*-z*-Z*-*._-]+ T*is issu* **n ** miti**t** *y M*rk*own to *orm*t us*r *ont*nt inst*** o* t** urliz* *

Reasoning

*. T** vuln*r**ility *o*um*nt*tion *xpli*itly m*ntions t** urliz* *ilt*r *s t** *tt**k v**tor. *. T** *ommit *i** s*ows r*mov*l o* _simpl*_*m*il_r* *n* _pun*tu*tion_r* r***x p*tt*rns in utils.py, w*i** w*r* *ir**tly us** *y t** urliz* *un*tion. *. T*