Subject: [ASA-202105-24] python-pydantic: denial of service Arch Linux Security Advisory ASA-202105-24 ========================================== Severity: Medium Date : 2021-05-25 CVE-ID : CVE-2021-29510 Package : python-pydantic Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1951 Summary ======= The package python-pydantic before version 1.8.2-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.8.2-1. # pacman -Syu "python-pydantic>=1.8.2-1" The problem has been fixed upstream in version 1.8.2. Workaround ========== None. Description =========== A security issue has been found in pydantic before version 1.8.2. Passing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU). Impact ====== An attacker could cause high CPU usage using invalid datetime or date fields, leading to denial of service. References ========== https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh https://github.com/samuelcolvin/pydantic/commit/1c24f1d74ba95ea985b50bdc001ce96c813229aa https://security.archlinux.org/CVE-2021-29510