Safety vulnerability ID: 66742
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Black before 24.3.0 have a security vulnerability where specific code formatting patterns could lead to arbitrary code execution. This issue arises from the unsafe handling of AST nodes, potentially allowing an attacker to execute code when Black formats a maliciously crafted Python file.
https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8
Latest version: 24.4.2
The uncompromising code formatter.
Highlights
This release is a milestone: it fixes Black's first CVE security vulnerability. If you
run Black on untrusted input, or if you habitually put thousands of leading tab
characters in your docstrings, you are strongly encouraged to upgrade immediately to fix
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).
This release also fixes a bug in Black's AST safety check that allowed Black to make
incorrect changes to certain f-strings that are valid in Python 3.12 and higher.
Stable style
- Don't move comments along with delimiters, which could cause crashes (4248)
- Strengthen AST safety check to catch more unsafe changes to strings. Previous versions
of Black would incorrectly format the contents of certain unusual f-strings containing
nested strings with the same quote type. Now, Black will crash on such strings until
support for the new f-string syntax is implemented. (4270)
- Fix a bug where line-ranges exceeding the last code line would not work as expected
(4273)
Performance
- Fix catastrophic performance on docstrings that contain large numbers of leading tab
characters. This fixes
[CVE-2024-21503](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21503).
(4278)
Documentation
- Note what happens when `--check` is used with `--quiet` (4236)
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application