CVE-2021-27291 – CVE-2021-27291 is a Regular Expression Denial o... (How to Fix)

📋 TL;DR

CVE-2021-27291 is a Regular Expression Denial of Service (ReDoS) vulnerability in Pygments syntax highlighting library versions 1.1 through 2.7.3. Attackers can craft malicious input to trigger exponential/cubic complexity regular expressions, causing excessive CPU consumption and service disruption. Any application using vulnerable Pygments versions for parsing programming language code is affected.

💻 Affected Systems

Products:

Pygments

Versions: 1.1 through 2.7.3

Operating Systems: All operating systems running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using Pygments for syntax highlighting or code parsing is vulnerable when processing untrusted input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service with prolonged CPU exhaustion, potentially causing application crashes, service unavailability, and resource starvation affecting other services on the same host.

🟠

Likely Case

Temporary service degradation or unavailability when processing malicious input, requiring service restart and causing user disruption.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and updated Pygments version; potential brief performance degradation.

🌐 Internet-Facing: MEDIUM - Requires attacker to submit specially crafted code to be processed by Pygments, which is common in web applications with code highlighting features.

🏢 Internal Only: LOW - Internal systems typically process trusted code, but risk exists if processing user-generated or external code.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available in GitHub gist; exploitation requires submitting malicious code to be processed by Pygments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4

Vendor Advisory: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14

Restart Required: Yes

Instructions:

1. Update Pygments: pip install --upgrade pygments==2.7.4
2. Restart all applications using Pygments
3. Verify no dependencies pin older vulnerable versions

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject or sanitize code containing patterns that trigger ReDoS

Rate limiting and timeout

all

Implement processing timeouts and rate limiting for code parsing operations

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block suspicious patterns in code submissions
Isolate Pygments processing to dedicated containers with strict resource limits and monitoring

🔍 How to Verify

Check if Vulnerable:

Check Pygments version: python -c "import pygments; print(pygments.__version__)" - if version is between 1.1 and 2.7.3 inclusive, system is vulnerable.

Check Version:

python -c "import pygments; print(pygments.__version__)"

Verify Fix Applied:

After update, verify version is 2.7.4 or higher: python -c "import pygments; print(pygments.__version__)"

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for code parsing
High CPU usage spikes in Pygments-related processes
Application timeouts or crashes during code highlighting

Network Indicators:

Repeated submissions of similar code patterns
Unusually large or complex code submissions to endpoints using Pygments

SIEM Query:

source="application_logs" AND ("pygments" OR "syntax highlighting") AND (duration>10s OR "timeout" OR "CPU spike")

📊 Metadata

CVE ID: CVE-2021-27291

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: March 17, 2021

Last Updated: November 21, 2024

🔗 References

https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce Exploit,Third Party Advisory
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/
https://www.debian.org/security/2021/dsa-4878 Third Party Advisory
https://www.debian.org/security/2021/dsa-4889 Third Party Advisory
https://gist.github.com/b-c-ds/b1a2cc0c68a35c57188575eb496de5ce Exploit,Third Party Advisory
https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00024.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00003.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/05/msg00006.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GSJRFHALQ7E3UV4FFMFU2YQ6LUDHAI55/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSLD67LFGXOX2K5YNESSWAS4AGZIJTUQ/
https://www.debian.org/security/2021/dsa-4878 Third Party Advisory
https://www.debian.org/security/2021/dsa-4889 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27291, you might also want to check these: