CVE-2024-21503

Advisory

Black before 24.3.0 have a security vulnerability where specific code formatting patterns could lead to arbitrary code execution. This issue arises from the unsafe handling of AST nodes, potentially allowing an attacker to execute code when Black formats a maliciously crafted Python file.
https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8

Affected package

Affected versions

Fixed versions

Vulnerability changelog

Highlights

This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).

This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.

Stable style

- Don't move comments along with delimiters, which could cause crashes (4248)
- Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (4270)
- Fix a bug where line-ranges exceeding the last code line would not work as expected
(4273)

Performance

- Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).
(4278)

Documentation

- Note what happens when `--check` is used with `--quiet` (4236)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503