CVE-2023-30608

Aliases:GHSA-rrm6-wvj7-cwh2PYSEC-2023-87
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 18 Apr 2023, 21:32
Last modified:03 Nov 2025, 21:48

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
1.26% LOW
1% probability +0.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

18 Apr 2023, 21:32
Published
Vulnerability first disclosed
03 Nov 2025, 21:48
Last Modified
Vulnerability information updated

Description

sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS Metrics

  • v4.0MEDIUMScore: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • v3.1MEDIUMScore: 5.5CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 1.26% Percentile: 80%

Techniques & Countermeasures

  • CWE-1333Inefficient Regular Expression Complexity

    The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

  • andialbrechtsqlparse

    ≥ 0.1.15, < 0.4.4

  • debiandebian_linux

    10.0

  • PyPIsqlparse

    < e75e35869473832a1eb67772b1adfee2db11b85a | ≥ 0.1.15, < 0.4.4

  • sqlparse_projectsqlparse

    ≥ 0.1.15, < 0.4.4

References (9)