CVE-2020-6817 – This CVE describes a regular expression denial ... (How to Fix)

📋 TL;DR

This CVE describes a regular expression denial of service (ReDoS) vulnerability in Mozilla's bleach library when parsing style attributes. Attackers can cause excessive CPU consumption and service degradation by providing malicious style attribute values. Any application using bleach with allowed style attributes is affected.

💻 Affected Systems

Products:

Mozilla bleach

Versions: All versions before 3.1.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using bleach.clean with allowed style attributes configuration.

📦 What is this software?

Bleach by Mozilla

View all CVEs affecting Bleach →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, affecting all users of the vulnerable application.

🟠

Likely Case

Degraded performance and intermittent service disruptions for users accessing affected endpoints.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted style attribute values to vulnerable endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.1.4

Vendor Advisory: https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm

Restart Required: No

Instructions:

1. Update bleach to version 3.1.4 or later using pip: pip install --upgrade bleach>=3.1.4
2. Verify the update was successful
3. No application restart required for Python library updates

🔧 Temporary Workarounds

Disable style attribute parsing

all

Remove style from allowed attributes in bleach.clean calls

Modify bleach.clean calls to exclude 'style' from allowed attributes

Input validation and sanitization

all

Implement additional validation before passing content to bleach.clean

Implement custom validation to reject or sanitize style attribute values before bleach processing

🧯 If You Can't Patch

Implement rate limiting and request throttling to mitigate DoS impact
Deploy web application firewalls (WAF) with ReDoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if bleach version is below 3.1.4: python -c "import bleach; print(bleach.__version__)"

Check Version:

python -c "import bleach; print('bleach version:', bleach.__version__)"

Verify Fix Applied:

Verify bleach version is 3.1.4 or higher: python -c "import bleach; print(bleach.__version__ >= '3.1.4')"

📡 Detection & Monitoring

Log Indicators:

Unusually high CPU usage on web servers
Increased request processing times
Multiple requests with similar style attribute patterns

Network Indicators:

Repeated requests containing complex style attribute values
Traffic spikes to endpoints using bleach.clean

SIEM Query:

source="web_logs" AND (uri="*bleach*" OR message="*style*attribute*") AND duration>5000ms

📊 Metadata

CVE ID: CVE-2020-6817

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: February 16, 2023

Last Updated: March 19, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 Exploit,Issue Tracking
https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1623633 Exploit,Issue Tracking
https://github.com/mozilla/bleach/security/advisories/GHSA-vqhp-cxgc-6wmm Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-6817, you might also want to check these: