CVE-2021-32839 – CVE-2021-32839 is a regular expression denial o... (How to Fix)

Q: What is the severity of CVE-2021-32839?

CVE-2021-32839 has a CVSS score of 7.5 (HIGH). CVE-2021-32839 is a regular expression denial of service (ReDoS) vulnerability in sqlparse, a Python SQL parser library. The vulnerability allows attackers to cause excessive CPU consumption and service disruption by providing SQL comments containing many repetitions of ' '. This affects Python applications using sqlparse's formatting feature with comment stripping enabled.

📋 TL;DR

CVE-2021-32839 is a regular expression denial of service (ReDoS) vulnerability in sqlparse, a Python SQL parser library. The vulnerability allows attackers to cause excessive CPU consumption and service disruption by providing SQL comments containing many repetitions of '\r\n'. This affects Python applications using sqlparse's formatting feature with comment stripping enabled.

💻 Affected Systems

Products:

sqlparse

Versions: 0.4.0 through 0.4.1

Operating Systems: All operating systems running Python

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using sqlformat.format() with strip_comments=True or the sqlformat command line tool with --strip-comments flag.

📦 What is this software?

Sqlparse by Sqlparse Project

View all CVEs affecting Sqlparse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting all users of the application until the process is restarted.

🟠

Likely Case

Degraded performance or temporary service disruption for users when processing malicious SQL input with the vulnerable formatting feature.

🟢

If Mitigated

No impact if comment stripping is disabled or the vulnerable function is not used.

🌐 Internet-Facing: MEDIUM - Requires user input containing specific SQL comment patterns to trigger, but could affect web applications processing SQL from untrusted sources.

🏢 Internal Only: LOW - Typically requires specific SQL input patterns that are less likely in controlled internal environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires providing SQL input with many '\r\n' sequences in comments to the vulnerable formatting function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4.2

Vendor Advisory: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf

Restart Required: No

Instructions:

1. Update sqlparse using pip: 'pip install --upgrade sqlparse>=0.4.2' 2. Verify the update with: 'pip show sqlparse' 3. Test that SQL formatting with comment stripping works correctly.

🔧 Temporary Workarounds

Disable comment stripping

all

Avoid using the vulnerable comment stripping feature in sqlparse formatting functions.

Do not use strip_comments=True in sqlformat.format()
Do not use --strip-comments flag with sqlformat CLI

🧯 If You Can't Patch

Disable or restrict use of sqlformat.format() with strip_comments=True in application code.
Implement input validation to reject SQL containing excessive '\r\n' sequences in comments.

🔍 How to Verify

Check if Vulnerable:

Check sqlparse version: 'pip show sqlparse | grep Version' - if version is 0.4.0 or 0.4.1, system is vulnerable.

Check Version:

pip show sqlparse | grep Version

Verify Fix Applied:

Verify sqlparse version is 0.4.2 or higher: 'pip show sqlparse | grep Version'

📡 Detection & Monitoring

Log Indicators:

High CPU usage spikes when processing SQL input
Application timeouts or crashes during SQL formatting operations

Network Indicators:

Unusually large SQL payloads containing many line breaks in comments

SIEM Query:

Process monitoring for high CPU usage by Python processes running sqlparse functions

📊 Metadata

CVE ID: CVE-2021-32839

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: September 20, 2021

Last Updated: November 3, 2025

🔗 References

https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb Patch,Third Party Advisory
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf Third Party Advisory
https://github.com/andialbrecht/sqlparse/commit/8238a9e450ed1524e40cb3a8b0b3c00606903aeb Patch,Third Party Advisory
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/12/msg00022.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32839, you might also want to check these: