CVSS Score: 6.5 Published: 2026-02-13 Full Report: https://cvereports.com/reports/GHSA-27JP-WM6Q-GP25
A high-impact Denial of Service vulnerability in the ubiquitous sqlparse Python library allows attackers to exhaust server CPU and memory via deeply nested SQL statements. By exploiting unchecked recursion in the grouping engine, a crafted payload containing massive lists of tuples can crash applications using this library for logging, formatting, or analysis.
The sqlparse library prior to version 0.5.4 contains a recursive looping flaw. Attackers can trigger a Denial of Service by sending SQL queries with massive lists of tuples (e.g., in IN clauses), causing the parser to hit recursion limits or hang the CPU. Patch by upgrading to 0.5.4, which introduces circuit breakers.
- Vulnerability Type: Denial of Service (DoS)
- CWE ID: CWE-400 / CWE-674
- CVSS (Estimated): 6.5 (Medium)
- Attack Vector: Network (via crafted SQL input)
- Affected Component: sqlparse.engine.grouping
- Exploit Status: PoC Available
- Django Debug Toolbar
- dbt (data build tool)
- pgcli
- Python-based SQL logging middleware
- Custom SQL administration interfaces
- sqlparse: < 0.5.4 (Fixed in:
0.5.4)
- Limit complexity of SQL processed by formatting tools.
- Implement circuit breakers for recursion depth.
- Sanitize input length before parsing.
Remediation Steps:
- Identify all Python environments using
sqlparse(checkpip freeze). - Upgrade
sqlparseto version0.5.4or higher viapip install --upgrade sqlparse. - Verify the upgrade by running
pip show sqlparse. - Restart application services to load the new library version.
Generated by CVEReports - Automated Vulnerability Intelligence