7.5

CVSS Score

Basic Information

CVE ID

CVE-2022-42969

GHSA ID

GHSA-w596-4wvx-j9j6

EPSS Score

CWE

CWE-1333

Published

10/16/2022

Updated

10/21/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-42969

CVE-2022-42969:
ReDoS in py library when used with subversion

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled.

The particular codepath in question is the regular expression at py._path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Notably the codepath is not used in the popular pytest project. The developers of the pytest package have released version 7.2.0 which removes their dependency on py. Users of pytest seeing alerts relating to this advisory may update to version 7.2.0 of pytest to resolve this issue. See https://github.com/pytest-dev/py/issues/287#issuecomment-1290407715 for additional context.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2022-42969

GHSA ID

GHSA-w596-4wvx-j9j6

EPSS Score

CWE

CWE-1333

Published

10/16/2022

Updated

10/21/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
py	pip	<= 1.11.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the regular expression defined in InfoSvnCommand.lspattern, which is used to parse SVN repository info data. The regex contains multiple overlapping capture groups (e.g., .+? for author matching followed by optional size groups) and ambiguous space quantifiers (* and +) that can lead to exponential backtracking. When processing attacker-controlled input with excessive spaces (as demonstrated in the PoC), this causes polynomial/combinatorial regex complexity. The init method directly uses this regex for parsing, making both the regex definition and its usage point vulnerable. The code location and attack vector are explicitly referenced in multiple sources including GitHub advisories and NVD records.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** py li*r*ry t*rou** *.**.* *or Pyt*on *llows r*mot* *tt**k*rs to *on*u*t * R**oS (R**ul*r *xpr*ssion **ni*l o* S*rvi**) *tt**k vi* * Su*v*rsion r*pository wit* *r**t** in*o **t*, ****us* t** In*oSvn*omm*n* *r*um*nt is mis**n*l**. T** p*rti*ul*r *

Reasoning

T** vuln*r**ility st*ms *rom t** r**ul*r *xpr*ssion ***in** in In*oSvn*omm*n*.lsp*tt*rn, w*i** is us** to p*rs* SVN r*pository in*o **t*. T** r***x *ont*ins multipl* ov*rl*ppin* **ptur* *roups (*.*., .+? *or *ut*or m*t**in* *ollow** *y option*l siz*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-42969: ReDoS in py library when used with subversion

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-42969:
ReDoS in py library when used with subversion

Vulnerability Intelligence
Miggo AI