Versions of the package black before 24.3.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the lines_with_leading_tabs_expanded function in the strings.py file. An attacker could exploit this vulnerability by crafting a malicious input that causes a denial of service.

Exploiting this vulnerability is possible when running Black on untrusted input, or if you habitually put thousands of leading tab characters in your docstrings.

Affected Packages

PyPI black

Affected versions: 0 (fixed in 24.3.0)

Related CVEs

CVE-2024-21503

Key Information

GHSA ID

GHSA-fj7x-q9j7-g6q6

Published

March 19, 2024 6:30 AM

Last Modified

March 20, 2024 3:24 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

black

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.