## https://sploitus.com/exploit?id=FB1F9902-F291-5255-83F6-925FF483087A
# feedparser ReDoS โ `_sync_author_detail()`
Proof of Concept for a Regular Expression Denial of Service vulnerability in the [`feedparser`](https://pypi.org/project/feedparser/) Python package.
- **Affected:** `feedparser ` element forces the trailing TLD group to fail to match, the regex engine backtracks through all partitions of the dotted segments, producing super-linear time complexity.
## Impact
Any application calling `feedparser.parse(feed_url)` on attacker-controlled feeds can be made to consume CPU for seconds to minutes per item. Multiple `` elements linearly amplify total processing time. This affects:
- Self-hosted RSS readers
- News aggregators
- Any backend that ingests user-submitted feed URLs
- Any pipeline that processes third-party RSS/Atom feeds
## Running the PoC
```bash
pip install feedparser
python feedparser_redos_poc.py
```
The script runs five tests:
1. **Isolated regex** โ confirms super-linear growth in the regex itself (no `feedparser` needed)
2. **Integration** โ confirms `feedparser.parse()` is slow on crafted feeds
3. **Multi-item amplification** โ confirms each `` independently amplifies the cost
4. **Variant analysis** โ compares payload shapes
5. **Safe-regex comparison** โ demonstrates the proposed fix processes the same inputs in linear time
Built-in safety stops at 30s (per regex test) and 60s (per integration test).
## Proposed fix
Replace the nested quantifier with a flat character class:
```python
# Vulnerable:
r"(([a-zA-Z0-9-]+\.)+)"
# Fixed:
r"([a-zA-Z0-9-.]+)"
```
Both patterns accept the same set of valid email-domain inputs. The flat form has no nested quantifier and cannot exhibit catastrophic backtracking.
## Disclosure timeline
| Date | Event |
|---|---|
| 2026-03-09 | Maintainer notified privately |
| 2026-03-16 | Reported to Snyk |
| 2026-04-19 | Public disclosure at [kurtmckee/feedparser#562](https://github.com/kurtmckee/feedparser/issues/562) after 41 days of maintainer silence |
| 2026-05-12 | No maintainer response. Repository remains actively committed to. |
A second independent researcher ([@jacopotediosi](https://github.com/jacopotediosi)) has reported separate XSS vulnerabilities to the same maintainer with the same outcome.
## CVE status
CVE assignment in progress via PyPA Advisory Database, GitHub Security Advisory program, and Snyk. This README will be updated when an ID is assigned.
## Credit
Reporter: [Manan Kakkar](https://github.com/kmanan)
## License
MIT โ see [LICENSE](LICENSE)