greprules.io
Sign inSubmit rule
Explore/cve-2024-23826-python-secure-filename-dos-missing-length-check

CVE-2024-23826: Python Secure Filename Dos Missing Length Check

Passing an unbounded string to `secure_filename()` can cause a Denial of Service (DoS) on Windows due to the expensive NFKD Unicode normalization loop. Verify the length of the string before calling `secure_filename()`, or slice the string to a safe length (e.g. `filename[:255]`).

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0python
greprules fetch cve-2024-23826-python-secure-filename-dos-missing-length-check --engine opengrep

Description

Passing an unbounded string to `secure_filename()` can cause a Denial of Service (DoS) on Windows due to the expensive NFKD Unicode normalization loop. Verify the length of the string before calling `secure_filename()`, or slice the string to a safe length (e.g. `filename[:255]`).

Detection target

Not provided

Recommended fix

Not provided

False-positive notes

Not provided

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Trust signals
108 downloads0 direct108 via packs
· 0 stars · Trust score 73How trust works
Included packs
3 packs

Community feedback

Sign in to report false positives, mark this rule useful, or suggest metadata improvements.

Mark usefulReport false positiveSuggest metadata