Skip to content

fix(security): risk-accept pygments ReDoS GHSA-5239-wwwm-4pmq (ENG-13187)#22

Merged
andriy-sudo merged 3 commits intomainfrom
andriy/ENG-13187-fix-pygments-ghsa-5239-wwwm-4pmq
Mar 31, 2026
Merged

fix(security): risk-accept pygments ReDoS GHSA-5239-wwwm-4pmq (ENG-13187)#22
andriy-sudo merged 3 commits intomainfrom
andriy/ENG-13187-fix-pygments-ghsa-5239-wwwm-4pmq

Conversation

@andriy-sudo
Copy link
Copy Markdown
Contributor

@andriy-sudo andriy-sudo commented Mar 25, 2026

Vulnerability Risk Acceptance

Package Version Advisory CVSS Status
pygments 2.19.2 GHSA-5239-wwwm-4pmq 3.3 LOW ⚠️ Risk accepted — no fix available

Why risk acceptance

pygments 2.19.2 is the latest published release and is marked last_affected in the advisory — upstream has not released a patched version. No semver-compatible fix exists.

The ReDoS is exploitable only with local access and requires attacker-controlled syntax highlighting inputs (ADL/archetype files fed to AdlLexer). This is not a realistic attack vector in our deployment.

ignoreUntil: 2026-06-23 — will re-evaluate when a patched pygments release is available.

Linear ticket

Closes ENG-13187

🤖 Generated with Claude Code

@andriy-sudo @claude
fix(security): risk-accept pygments ReDoS (ENG-13187)
53962ad 
- pygments 2.19.2 → risk-accepted (GHSA-5239-wwwm-4pmq, CVSS 3.3 LOW)
  No fix available — 2.19.2 is latest and marked last_affected.
  ignoreUntil: 2026-06-23

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@andriy-sudo andriy-sudo requested a review from a team as a code owner March 25, 2026 14:04
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Mar 25, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3dbd2daf-64d6-4b09-bca8-94704614692d

📥 Commits

Reviewing files that changed from the base of the PR and between 53962ad and 8060f6d.

📒 Files selected for processing (1)
  • osv-scanner.toml
✅ Files skipped from review due to trivial changes (1)
  • osv-scanner.toml
📝 Walkthrough

Walkthrough

A new vulnerability ignore entry was added to osv-scanner.toml for GHSA-5239-wwwm-4pmq, set to be ignored until 2026-06-23T00:00:00Z. The reason notes LOW severity (CVSS 3.3) for a pygments ReDoS in AdlLexer and that no fix version has been published. This change only updates scanner configuration and does not modify code or runtime control flow.

🚥 Pre-merge checks | ✅ 2
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: accepting a security risk for a pygments ReDoS vulnerability (GHSA-5239-wwwm-4pmq) and documenting it in the configuration.
Description check ✅ Passed The description directly relates to the changeset by explaining the vulnerability risk acceptance for pygments, providing context on why it was accepted and when it will be re-evaluated.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch andriy/ENG-13187-fix-pygments-ghsa-5239-wwwm-4pmq

Comment @coderabbitai help to get the list of available commands and usage tips.

@andriy-sudo andriy-sudo merged commit d8a086e into main Mar 31, 2026
3 checks passed
@andriy-sudo andriy-sudo deleted the andriy/ENG-13187-fix-pygments-ghsa-5239-wwwm-4pmq branch March 31, 2026 14:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@akuzminsky akuzminsky akuzminsky approved these changes

@hongjingzhou hongjingzhou hongjingzhou approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andriy-sudo @akuzminsky @hongjingzhou