mpmath icon indicating copy to clipboard operation
mpmath copied to clipboard

Published 20 hours ago verified publisher icon mpmath

mpmath is being flagged for ReDOS vulnerability

Open jason-ogaard opened this issue 3 years ago • 2 comments

Aquasec is flagging the latest version of mpmath (1.2.1) as vulnerable to being used for a ReDOS attack. See here for more details.

jason-ogaard avatar Sep 14 '22 21:09 jason-ogaard

I can't tell from there what the problem is. Is there more information somewhere?

oscarbenjamin avatar Sep 15 '22 00:09 oscarbenjamin

This appears to be the subject of #570 (from the first link to "Advisories, Solutions, and Tools" on the provided NIST page). At this point the fix has already been made and I presume it will be in the next release.

For now, you can patch your system by changing two lines in mpmath/ctx_mp.py

saoicourts avatar Sep 20 '22 21:09 saoicourts

@fredrik-johansson could you please publish a new release? it seems that the problem has been fixed for a while, but the fix is not in the published releases, and in the meantime, mpmath is marked as a vulnerability...

wadimiusz avatar Nov 28 '22 06:11 wadimiusz

Fixed with the 1.3.0 release.

fredrik-johansson avatar Mar 07 '23 16:03 fredrik-johansson

@fredrik-johansson, probably this can be closed?

skirpichev avatar Mar 25 '23 04:03 skirpichev