CVE-2022-40023

CVE Database · CVE-2022-40023

CVE-2022-40023

· HIGHModified

CVSS v3.1

7.5

EPSS

1.66%

Published

Sep 7, 2022

Modified

Dec 3, 2025

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses (CWE)

CWE-1333

Affected Products (2)

sqlalchemy · mako (up to 1.2.2)vulnerable

debian · debian_linuxvulnerable

References (13)

https://github.com/sqlalchemy/mako/blob/c2f392e0be52dc67d1b9770ab8cce6a9c736d547/mako/ext/extract.py#L21

ExploitThird Party Advisory

https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c

Patch

https://github.com/sqlalchemy/mako/issues/366

Issue TrackingPatch

https://lists.debian.org/debian-lts-announce/2022/09/msg00026.html

Mailing ListThird Party Advisory

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs