DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-27JP-WM6Q-GP25: Death by Parentheses: The sqlparse Recursive DoS

#security #cve #cybersecurity #ghsa

Death by Parentheses: The sqlparse Recursive DoS

Vulnerability ID: GHSA-27JP-WM6Q-GP25
CVSS Score: 6.5
Published: 2026-02-13

A high-impact Denial of Service vulnerability in the ubiquitous sqlparse Python library allows attackers to exhaust server CPU and memory via deeply nested SQL statements. By exploiting unchecked recursion in the grouping engine, a crafted payload containing massive lists of tuples can crash applications using this library for logging, formatting, or analysis.

TL;DR

The sqlparse library prior to version 0.5.4 contains a recursive looping flaw. Attackers can trigger a Denial of Service by sending SQL queries with massive lists of tuples (e.g., in IN clauses), causing the parser to hit recursion limits or hang the CPU. Patch by upgrading to 0.5.4, which introduces circuit breakers.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Denial of Service (DoS)
  • CWE ID: CWE-400 / CWE-674
  • CVSS (Estimated): 6.5 (Medium)
  • Attack Vector: Network (via crafted SQL input)
  • Affected Component: sqlparse.engine.grouping
  • Exploit Status: PoC Available

Affected Systems

  • Django Debug Toolbar
  • dbt (data build tool)
  • pgcli
  • Python-based SQL logging middleware
  • Custom SQL administration interfaces
  • sqlparse: < 0.5.4 (Fixed in: 0.5.4)

Code Analysis

Commit: 40ed3aa

Added MAX_GROUPING_DEPTH and MAX_GROUPING_TOKENS to prevent DoS

diff --git a/sqlparse/engine/grouping.py b/sqlparse/engine/grouping.py
index ...
--- a/sqlparse/engine/grouping.py
+++ b/sqlparse/engine/grouping.py
@@ -10,6 +10,8 @@
 from sqlparse.utils import recurse

+MAX_GROUPING_DEPTH = 100
+MAX_GROUPING_TOKENS = 10000
+
 def _group_matching(tlist, cls, depth=0):
+    if MAX_GROUPING_DEPTH is not None and depth > MAX_GROUPING_DEPTH:
+        return
+    if MAX_GROUPING_TOKENS is not None and len(tlist.tokens) > MAX_GROUPING_TOKENS:
+        return
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Limit complexity of SQL processed by formatting tools.
  • Implement circuit breakers for recursion depth.
  • Sanitize input length before parsing.

Remediation Steps:

  1. Identify all Python environments using sqlparse (check pip freeze).
  2. Upgrade sqlparse to version 0.5.4 or higher via pip install --upgrade sqlparse.
  3. Verify the upgrade by running pip show sqlparse.
  4. Restart application services to load the new library version.

References

Read the full report for GHSA-27JP-WM6Q-GP25 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)