Request
Requesting a PYSEC ID and CVE assignment for a confirmed ReDoS vulnerability in the feedparser package (PyPI). Maintainer is unresponsive after 64+ days.
Summary
- Package: feedparser (PyPI)
- Affected:
<= 6.0.11; also confirmed present in 6.0.12 development branch (current main, last pushed 2026-05-11)
- Class: CWE-1333 (Inefficient Regular Expression Complexity), CWE-400 (Uncontrolled Resource Consumption)
- CVSS v3.1: 7.5 —
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Location:
feedparser/mixin.py lines 42-43 (regex constant), used in _sync_author_detail() at line 783
Vulnerable pattern
# feedparser/mixin.py:42-43 (current main)
r"(([a-zA-Z0-9_.+-]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)"
r"|(([a-zA-Z0-9-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(]?))"The sub-pattern (([a-zA-Z0-9-]+\.)+) is a nested quantifier of the form (X+)+. When a crafted <author> element forces the trailing TLD group to fail, the engine backtracks through all partitions of the dotted segments, producing super-linear time complexity.
Impact
An attacker hosting a malicious RSS/Atom feed can cause CPU exhaustion in any application calling feedparser.parse(feed_url). Multiple <item> elements linearly amplify the impact. Affected use cases: self-hosted RSS readers, news aggregators, and any backend that ingests user-submitted or third-party feed URLs.
Proof of Concept
Public repository with a five-part validation (isolated regex, integration, multi-item amplification, payload variants, safe-regex comparison):
https://github.com/kmanan/feedparser-redos-poc
Run:
pip install feedparser
git clone https://github.com/kmanan/feedparser-redos-poc
cd feedparser-redos-poc
python feedparser_redos_poc.py
Built-in safety stops cap individual tests at 30-60 seconds.
Proposed fix
# Vulnerable:
r"(([a-zA-Z0-9-]+\.)+)"
# Fixed:
r"([a-zA-Z0-9-.]+)"
Both accept the same valid email-domain inputs. The flat form has no nested quantifier and cannot exhibit catastrophic backtracking.
Disclosure timeline
| Date |
Event |
| 2026-03-09 |
Maintainer (Kurt McKee) notified privately |
| 2026-03-16 |
Reported to Snyk |
| 2026-04-19 |
Public disclosure at kurtmckee/feedparser#562 after 41 days of maintainer silence |
| 2026-05-12 |
No maintainer response. Repository remains actively committed to (last push 2026-05-11). |
A second independent researcher (@jacopotediosi) has reported separate XSS vulnerabilities to the same maintainer with the same outcome — no response. Pattern of unresponsiveness across at least two independent reports.
Draft OSV YAML
id: PYSEC-0000-0000
details: |
feedparser versions <= 6.0.11 (and the 6.0.12 development branch as of
2026-05) contain a Regular Expression Denial of Service (ReDoS)
vulnerability in the email regex defined at `feedparser/mixin.py` lines
42-43 and used in `_sync_author_detail()` at line 783.
The regex contains the sub-pattern `(([a-zA-Z0-9-]+\.)+)`, a nested
quantifier of the form `(X+)+`. When a crafted `<author>` element forces
the trailing TLD group to fail to match, the engine backtracks through all
partitions of the dotted segments, producing super-linear time complexity.
An attacker hosting a malicious RSS/Atom feed can cause CPU exhaustion in
any application calling `feedparser.parse(feed_url)`. Multiple `<item>`
elements linearly amplify the impact.
Proof of concept: https://github.com/kmanan/feedparser-redos-poc
Proposed fix: replace the nested quantifier `(([a-zA-Z0-9-]+\.)+)` with a
flat character class `([a-zA-Z0-9-.]+)`.
aliases: []
modified: "2026-05-12T00:00:00Z"
published: "2026-05-12T00:00:00Z"
affected:
- package:
name: feedparser
ecosystem: PyPI
purl: pkg:pypi/feedparser
ranges:
- type: ECOSYSTEM
events:
- introduced: "0"
versions:
- "6.0.11"
database_specific:
cwe_ids:
- CWE-1333
- CWE-400
references:
- type: REPORT
url: https://github.com/kurtmckee/feedparser/issues/562
- type: EVIDENCE
url: https://github.com/kmanan/feedparser-redos-poc
- type: PACKAGE
url: https://pypi.org/project/feedparser/
credits:
- name: Manan Kakkar
type: REPORTER
contact:
- https://github.com/kmananHappy to open a PR adding this YAML under vulns/feedparser/ if that's the preferred submission flow.
References
Credit
Reporter: Manan Kakkar (@kmanan)
Request
Requesting a PYSEC ID and CVE assignment for a confirmed ReDoS vulnerability in the
feedparserpackage (PyPI). Maintainer is unresponsive after 64+ days.Summary
<= 6.0.11; also confirmed present in6.0.12development branch (currentmain, last pushed 2026-05-11)AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:Hfeedparser/mixin.pylines 42-43 (regex constant), used in_sync_author_detail()at line 783Vulnerable pattern
The sub-pattern
(([a-zA-Z0-9-]+\.)+)is a nested quantifier of the form(X+)+. When a crafted<author>element forces the trailing TLD group to fail, the engine backtracks through all partitions of the dotted segments, producing super-linear time complexity.Impact
An attacker hosting a malicious RSS/Atom feed can cause CPU exhaustion in any application calling
feedparser.parse(feed_url). Multiple<item>elements linearly amplify the impact. Affected use cases: self-hosted RSS readers, news aggregators, and any backend that ingests user-submitted or third-party feed URLs.Proof of Concept
Public repository with a five-part validation (isolated regex, integration, multi-item amplification, payload variants, safe-regex comparison):
https://github.com/kmanan/feedparser-redos-poc
Run:
pip install feedparser git clone https://github.com/kmanan/feedparser-redos-poc cd feedparser-redos-poc python feedparser_redos_poc.pyBuilt-in safety stops cap individual tests at 30-60 seconds.
Proposed fix
Both accept the same valid email-domain inputs. The flat form has no nested quantifier and cannot exhibit catastrophic backtracking.
Disclosure timeline
A second independent researcher (@jacopotediosi) has reported separate XSS vulnerabilities to the same maintainer with the same outcome — no response. Pattern of unresponsiveness across at least two independent reports.
Draft OSV YAML
Happy to open a PR adding this YAML under
vulns/feedparser/if that's the preferred submission flow.References
Credit
Reporter: Manan Kakkar (@kmanan)