Share
## https://sploitus.com/exploit?id=FB1F9902-F291-5255-83F6-925FF483087A
# feedparser ReDoS โ€” `_sync_author_detail()`

Proof of Concept for a Regular Expression Denial of Service vulnerability in the [`feedparser`](https://pypi.org/project/feedparser/) Python package.

- **Affected:** `feedparser ` element forces the trailing TLD group to fail to match, the regex engine backtracks through all partitions of the dotted segments, producing super-linear time complexity.

## Impact

Any application calling `feedparser.parse(feed_url)` on attacker-controlled feeds can be made to consume CPU for seconds to minutes per item. Multiple `` elements linearly amplify total processing time. This affects:

- Self-hosted RSS readers
- News aggregators
- Any backend that ingests user-submitted feed URLs
- Any pipeline that processes third-party RSS/Atom feeds

## Running the PoC

```bash
pip install feedparser
python feedparser_redos_poc.py
```

The script runs five tests:

1. **Isolated regex** โ€” confirms super-linear growth in the regex itself (no `feedparser` needed)
2. **Integration** โ€” confirms `feedparser.parse()` is slow on crafted feeds
3. **Multi-item amplification** โ€” confirms each `` independently amplifies the cost
4. **Variant analysis** โ€” compares payload shapes
5. **Safe-regex comparison** โ€” demonstrates the proposed fix processes the same inputs in linear time

Built-in safety stops at 30s (per regex test) and 60s (per integration test).

## Proposed fix

Replace the nested quantifier with a flat character class:

```python
# Vulnerable:
r"(([a-zA-Z0-9-]+\.)+)"

# Fixed:
r"([a-zA-Z0-9-.]+)"
```

Both patterns accept the same set of valid email-domain inputs. The flat form has no nested quantifier and cannot exhibit catastrophic backtracking.

## Disclosure timeline

| Date | Event |
|---|---|
| 2026-03-09 | Maintainer notified privately |
| 2026-03-16 | Reported to Snyk |
| 2026-04-19 | Public disclosure at [kurtmckee/feedparser#562](https://github.com/kurtmckee/feedparser/issues/562) after 41 days of maintainer silence |
| 2026-05-12 | No maintainer response. Repository remains actively committed to. |

A second independent researcher ([@jacopotediosi](https://github.com/jacopotediosi)) has reported separate XSS vulnerabilities to the same maintainer with the same outcome.

## CVE status

CVE assignment in progress via PyPA Advisory Database, GitHub Security Advisory program, and Snyk. This README will be updated when an ID is assigned.

## Credit

Reporter: [Manan Kakkar](https://github.com/kmanan)

## License

MIT โ€” see [LICENSE](LICENSE)