Skip to content

kmanan/feedparser-redos-poc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
LICENSE
LICENSE
 
 
README.md
README.md
 
 
feedparser_redos_poc.py
feedparser_redos_poc.py
 
 

Repository files navigation

feedparser ReDoS — _sync_author_detail()

Proof of Concept for a Regular Expression Denial of Service vulnerability in the feedparser Python package.

  • Affected: feedparser <= 6.0.11, also present in 6.0.12 development branch
  • Location: feedparser/mixin.py:42-43 (regex constant), used in _sync_author_detail() at line 783
  • Class: CWE-1333 (Inefficient Regular Expression Complexity), CWE-400 (Uncontrolled Resource Consumption)
  • CVSS v3.1: 7.5 — AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Upstream report: kurtmckee/feedparser#562

Vulnerable pattern

# feedparser/mixin.py:42-43
r"(([a-zA-Z0-9_.+-]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)"
r"|(([a-zA-Z0-9-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(]?))"

The group (([a-zA-Z0-9-]+\.)+) is a nested quantifier ((X+)+-shaped). When a crafted <author> element forces the trailing TLD group to fail to match, the regex engine backtracks through all partitions of the dotted segments, producing super-linear time complexity.

Impact

Any application calling feedparser.parse(feed_url) on attacker-controlled feeds can be made to consume CPU for seconds to minutes per item. Multiple <item> elements linearly amplify total processing time. This affects:

  • Self-hosted RSS readers
  • News aggregators
  • Any backend that ingests user-submitted feed URLs
  • Any pipeline that processes third-party RSS/Atom feeds

Running the PoC

pip install feedparser
python feedparser_redos_poc.py

The script runs five tests:

  1. Isolated regex — confirms super-linear growth in the regex itself (no feedparser needed)
  2. Integration — confirms feedparser.parse() is slow on crafted feeds
  3. Multi-item amplification — confirms each <item> independently amplifies the cost
  4. Variant analysis — compares payload shapes
  5. Safe-regex comparison — demonstrates the proposed fix processes the same inputs in linear time

Built-in safety stops at 30s (per regex test) and 60s (per integration test).

Proposed fix

Replace the nested quantifier with a flat character class:

# Vulnerable:
r"(([a-zA-Z0-9-]+\.)+)"

# Fixed:
r"([a-zA-Z0-9-.]+)"

Both patterns accept the same set of valid email-domain inputs. The flat form has no nested quantifier and cannot exhibit catastrophic backtracking.

Disclosure timeline

Date Event
2026-03-09 Maintainer notified privately
2026-03-16 Reported to Snyk
2026-04-19 Public disclosure at kurtmckee/feedparser#562 after 41 days of maintainer silence
2026-05-12 No maintainer response. Repository remains actively committed to.

A second independent researcher (@jacopotediosi) has reported separate XSS vulnerabilities to the same maintainer with the same outcome.

CVE status

CVE assignment in progress via PyPA Advisory Database, GitHub Security Advisory program, and Snyk. This README will be updated when an ID is assigned.

Credit

Reporter: Manan Kakkar

License

MIT — see LICENSE

About

PoC for ReDoS in feedparser <= 6.0.11 _sync_author_detail() — CWE-1333

Topics

python security cve redos feedparser vulnerability-disclosure

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages