CVE-2021-20270
📋 TL;DR
This vulnerability in Pygments' SMLLexer causes an infinite loop when processing Standard ML source files containing only the 'exception' keyword, leading to denial of service. It affects systems using Pygments versions 1.5 through 2.7.3 for syntax highlighting of SML files. Any application or service that uses vulnerable Pygments versions to highlight SML code is potentially affected.
💻 Affected Systems
- Pygments
📦 What is this software?
Fedora by Fedoraproject
Pygments by Pygments
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for applications using Pygments for SML syntax highlighting, potentially crashing services or consuming all available CPU resources.
Likely Case
Temporary service disruption or performance degradation when malicious SML input is processed.
If Mitigated
Minimal impact with proper input validation and updated Pygments version.
🎯 Exploit Status
Exploitation requires submitting a specially crafted SML file containing only the 'exception' keyword to a vulnerable Pygments instance.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.4 and later
Vendor Advisory: https://pygments.org/docs/changelog/
Restart Required: No
Instructions:
1. Upgrade Pygments to version 2.7.4 or later using pip: pip install --upgrade pygments>=2.7.4
2. Verify the upgrade completed successfully
3. Test SML syntax highlighting functionality
🔧 Temporary Workarounds
Disable SML highlighting
allDisable Pygments syntax highlighting for Standard ML files in affected applications
Configure application to skip Pygments processing for .sml files
Input validation
allReject SML files containing only the 'exception' keyword before Pygments processing
Add pre-processing filter to check SML file content
🧯 If You Can't Patch
- Implement strict input validation to reject SML files with suspicious patterns
- Monitor system resources and implement rate limiting for file processing services
🔍 How to Verify
Check if Vulnerable:
Check Pygments version: python -c "import pygments; print(pygments.__version__)" and verify if between 1.5 and 2.7.3Check Version:
python -c "import pygments; print(pygments.__version__)"Verify Fix Applied:
Test with a minimal SML file containing only 'exception' keyword and ensure no infinite loop occurs📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Process timeouts when processing SML files
- Application crashes during syntax highlighting
Network Indicators:
- Repeated SML file uploads to vulnerable endpoints
- Unusual traffic patterns to syntax highlighting services
SIEM Query:
source="application.log" AND ("timeout" OR "high cpu" OR "sml") AND process="pygments"🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1922136
- https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
- https://www.debian.org/security/2021/dsa-4889
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1922136
- https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html
- https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html
- https://www.debian.org/security/2021/dsa-4889
- https://www.oracle.com/security-alerts/cpuoct2021.html
