GHSA-r9hx-vwmv-q579

Suggest an improvement
Source
https://github.com/advisories/GHSA-r9hx-vwmv-q579
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-r9hx-vwmv-q579/GHSA-r9hx-vwmv-q579.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-r9hx-vwmv-q579
Aliases
Related
Published
2022-12-23T00:30:23Z
Modified
2025-11-05T01:07:21.628214Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N CVSS Calculator
Summary
pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)
Details

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1333"
    ],
    "github_reviewed_at": "2022-12-27T14:51:05Z",
    "severity": "HIGH",
    "nvd_published_at": "2022-12-23T00:15:00Z"
}
References

Affected packages

PyPI / setuptools

Package

Name
setuptools
View open source insights on deps.dev
Purl
pkg:pypi/setuptools

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
65.5.1

Affected versions

0.*

0.6b1
0.6b2
0.6b3
0.6b4
0.6c1
0.6c2
0.6c3
0.6c4
0.6c5
0.6c6
0.6c7
0.6c8
0.6c9
0.6c10
0.6c11
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8
0.9
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8

1.*

1.0
1.1
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.2
1.3
1.3.1
1.3.2
1.4
1.4.1
1.4.2

2.*

2.0
2.0.1
2.0.2
2.1
2.1.1
2.1.2
2.2

3.*

3.0
3.0.1
3.0.2
3.1
3.2
3.3
3.4
3.4.1
3.4.2
3.4.3
3.4.4
3.5
3.5.1
3.5.2
3.6
3.7
3.7.1
3.8
3.8.1

4.*

4.0
4.0.1

5.*

5.0
5.0.1
5.0.2
5.1
5.2
5.3
5.4
5.4.1
5.4.2
5.5
5.5.1
5.6
5.7
5.8

6.*

6.0.1
6.0.2
6.1

7.*

7.0

8.*

8.0
8.0.1
8.0.2
8.0.3
8.0.4
8.1
8.2
8.2.1
8.3

9.*

9.0
9.0.1
9.1

10.*

10.0
10.0.1
10.1
10.2
10.2.1

11.*

11.0
11.1
11.2
11.3
11.3.1

12.*

12.0
12.0.1
12.0.2
12.0.3
12.0.4
12.0.5
12.1
12.2
12.3
12.4

13.*

13.0
13.0.1
13.0.2

14.*

14.0
14.1
14.1.1
14.2
14.3
14.3.1

15.*

15.0
15.1
15.2

16.*

16.0

17.*

17.0
17.1
17.1.1

18.*

18.0
18.0.1
18.1
18.2
18.3
18.3.1
18.3.2
18.4
18.5
18.6
18.6.1
18.7
18.7.1
18.8
18.8.1

19.*

19.0
19.1
19.1.1
19.2
19.3
19.4
19.4.1
19.5
19.6
19.6.1
19.6.2
19.7

20.*

20.0
20.1
20.1.1
20.2.2
20.3
20.3.1
20.4
20.6.6
20.6.7
20.6.8
20.7.0
20.8.0
20.8.1
20.9.0
20.10.1

21.*

21.0.0
21.1.0
21.2.0
21.2.1
21.2.2

22.*

22.0.0
22.0.1
22.0.2
22.0.4
22.0.5

23.*

23.0.0
23.1.0
23.2.0
23.2.1

24.*

24.0.0
24.0.1
24.0.2
24.0.3
24.1.0
24.1.1
24.2.0
24.2.1
24.3.0
24.3.1

25.*

25.0.0
25.0.1
25.0.2
25.1.0
25.1.1
25.1.2
25.1.3
25.1.4
25.1.5
25.1.6
25.2.0
25.3.0
25.4.0

26.*

26.0.0
26.1.0
26.1.1

27.*

27.0.0
27.1.0
27.1.2
27.2.0
27.3.0
27.3.1

28.*

28.0.0
28.1.0
28.2.0
28.3.0
28.4.0
28.5.0
28.6.0
28.6.1
28.7.0
28.7.1
28.8.0
28.8.1

29.*

29.0.0
29.0.1

30.*

30.0.0
30.1.0
30.2.0
30.2.1
30.3.0
30.4.0

31.*

31.0.0
31.0.1

32.*

32.0.0
32.1.0
32.1.1
32.1.2
32.1.3
32.2.0
32.3.0
32.3.1

33.*

33.1.0
33.1.1

34.*

34.0.0
34.0.1
34.0.2
34.0.3
34.1.0
34.1.1
34.2.0
34.3.0
34.3.1
34.3.2
34.3.3
34.4.0
34.4.1

35.*

35.0.0
35.0.1
35.0.2

36.*

36.0.1
36.1.0
36.1.1
36.2.0
36.2.1
36.2.2
36.2.3
36.2.4
36.2.5
36.2.6
36.2.7
36.3.0
36.4.0
36.5.0
36.6.0
36.6.1
36.7.0
36.7.1
36.7.2
36.8.0

37.*

37.0.0

38.*

38.0.0
38.1.0
38.2.0
38.2.1
38.2.3
38.2.4
38.2.5
38.3.0
38.4.0
38.4.1
38.5.0
38.5.1
38.5.2
38.6.0
38.6.1
38.7.0

39.*

39.0.0
39.0.1
39.1.0
39.2.0

40.*

40.0.0
40.1.0
40.1.1
40.2.0
40.3.0
40.4.0
40.4.1
40.4.2
40.4.3
40.5.0
40.6.0
40.6.1
40.6.2
40.6.3
40.7.0
40.7.1
40.7.2
40.7.3
40.8.0
40.9.0

41.*

41.0.0
41.0.1
41.1.0
41.2.0
41.3.0
41.4.0
41.5.0
41.5.1
41.6.0

42.*

42.0.0
42.0.1
42.0.2

43.*

43.0.0

44.*

44.0.0
44.1.0
44.1.1

45.*

45.0.0
45.1.0
45.2.0
45.3.0

46.*

46.0.0
46.1.0
46.1.1
46.1.2
46.1.3
46.2.0
46.3.0
46.3.1
46.4.0

47.*

47.0.0
47.1.0
47.1.1
47.2.0
47.3.0
47.3.1
47.3.2

48.*

48.0.0

49.*

49.0.0
49.0.1
49.1.0
49.1.1
49.1.2
49.1.3
49.2.0
49.2.1
49.3.0
49.3.1
49.3.2
49.4.0
49.5.0
49.6.0

50.*

50.0.0
50.0.1
50.0.2
50.0.3
50.1.0
50.2.0
50.3.0
50.3.1
50.3.2

51.*

51.0.0
51.1.0
51.1.0.post20201221
51.1.1
51.1.2
51.2.0
51.3.0
51.3.1
51.3.2
51.3.3

52.*

52.0.0

53.*

53.0.0
53.1.0

54.*

54.0.0
54.1.0
54.1.1
54.1.2
54.1.3
54.2.0

56.*

56.0.0
56.1.0
56.2.0

57.*

57.0.0
57.1.0
57.2.0
57.3.0
57.4.0
57.5.0

58.*

58.0.0
58.0.1
58.0.2
58.0.3
58.0.4
58.1.0
58.2.0
58.3.0
58.4.0
58.5.0
58.5.1
58.5.2
58.5.3

59.*

59.0.1
59.1.0
59.1.1
59.2.0
59.3.0
59.4.0
59.5.0
59.6.0
59.7.0
59.8.0

60.*

60.0.0
60.0.1
60.0.2
60.0.3
60.0.4
60.0.5
60.1.0
60.1.1
60.2.0
60.3.0
60.3.1
60.4.0
60.5.0
60.6.0
60.7.0
60.7.1
60.8.0
60.8.1
60.8.2
60.9.0
60.9.1
60.9.2
60.9.3
60.10.0

61.*

61.0.0
61.1.0
61.1.1
61.2.0
61.3.0
61.3.1

62.*

62.0.0
62.1.0
62.2.0
62.3.0
62.3.1
62.3.2
62.3.3
62.3.4
62.4.0
62.5.0
62.6.0

63.*

63.0.0b1
63.0.0
63.1.0
63.2.0
63.3.0
63.4.0
63.4.1
63.4.2
63.4.3

64.*

64.0.0
64.0.1
64.0.2
64.0.3

65.*

65.0.0
65.0.1
65.0.2
65.1.0
65.1.1
65.2.0
65.3.0
65.4.0
65.4.1
65.5.0