DEBIAN-CVE-2021-32839
Advisory lineage Upstream: 1 Downstream: 1
Upstream
Downstream
Published: 20 Sept 2021, 17:15
Last modified:28 Apr 2026, 20:22
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
3.1 (osv_debian)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
20 Sept 2021, 17:15
Published
Vulnerability first disclosed
28 Apr 2026, 20:22
Last Modified
Vulnerability information updated
Description
sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the formatting feature that removes comments from SQL statements is affected by this regular expression. As a workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-comments command line flag when using the sqlformat command line tool. The issues has been fixed in sqlparse 0.4.2.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Systems
- debian•sqlparse
< 0.4.1-1+deb11u1 | < 0.4.2-1 | < 0.4.2-1 | < 0.4.2-1