[langchain-mongodb] Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

XMLWordPrintableJSON

    • None
    • Python Drivers
    • Not Needed
    • None
    • None
    • None
    • None
    • None
    • None

      Context

      A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

      https://github.com/langchain-ai/langchain-mongodb/security/dependabot/101

       

      Definition of done

      Update pytest version, which is what brings this in. If this alone doesn't work:
      uv lock --upgrade-package pygments

      Include in next release. It's not urgent.

      Pitfalls

      What should the implementer watch out for? What are the risks?

      It may reappear and dependabot will flag it again.

            Assignee:
            Casey Clements
            Reporter:
            Casey Clements
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: