5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39280

GHSA ID

GHSA-8fg9-p83m-x5pq

EPSS Score

0.32831%

CWE

CWE-400

Published

9/27/2022

Updated

11/18/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39280

CVE-2022-39280: ReDoS issue in dparse

Impact

dparse versions prior to 0.5.1 contain a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

All users parsing index server URLs with dparse are impacted by this vulnerability.

Patches

The Patch is applied in the 0.5.2 version, all users are recommended to upgrade as soon as possible.

Workarounds

Avoid passing index server URLs in the source file to be parsed.

References

https://github.com/pyupio/dparse/tree/security/remove-intensive-regex

For more information

If you have any questions or comments about this advisory:

Email us at support@pyup.io

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39280

CVE-2022-39280:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39280

GHSA ID

GHSA-8fg9-p83m-x5pq

EPSS Score

0.32831%

CWE

CWE-400

Published

9/27/2022

Updated

11/18/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dparse	pip	< 0.5.2	0.5.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from the URL_REGEX pattern used in parse_index_server. The commit diff shows this function was modified to remove regex-based validation, and the advisory explicitly references ReDoS in URL parsing. The removed URL_REGEX in regex.py contained complex patterns with nested quantifiers and lookaheads - a classic ReDoS vector. The function's direct interaction with user-controlled URLs makes it the entry point for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39280: ReDoS issue in dparse

Impact

Patches

Workarounds

References

For more information

CVE-2022-39280:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.9

5.9

CVE-2022-39280: ReDoS issue in dparse

Impact

Patches

Workarounds

References

For more information

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI