VYPR
← All advisories
Low severityNVD Advisory· Published Apr 3, 2023· Updated Feb 13, 2025

CVE-2023-26112

CVE-2023-26112

Description

All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). Note: This is only exploitable in the case of a developer, putting the offending value in a server side configuration file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The configobj Python package contains a regular expression denial-of-service vulnerability in its validate function, exploitable by a developer supplying a crafted configuration value.

Vulnerability

CVE-2023-26112 affects all versions of the Python configobj package. The validate function contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). The flaw lies in the use of the pattern (.+?)\((.*)\), which can exhibit catastrophic backtracking when processing a maliciously crafted input string [1][2].

Exploitation

Exploitation requires a developer to supply a deliberately malformed value in a server-side configuration file that is then processed by the validate method. The attack is not remotely triggerable by end users; it relies on a developer or administrator introducing the payload into the application's configuration [1]. The Snyk advisory explains that ReDoS attacks force the regex engine to take an exponentially long time to process a non-matching string, effectively blocking the application's event loop and causing a denial of service [2].

Impact

An attacker who can cause the vulnerable regex to be evaluated against a poisoned configuration value can make the Python process hang or crash, leading to a denial of service condition. The impact is limited to availability; no data confidentiality or integrity is compromised. The advisory notes that this can make the system inaccessible to legitimate users [2].

Mitigation

As of the publication date, no patch has been released for the configobj package itself. The Fedora project has issued package announcements [3][4], but these do not provide a fix. The best mitigation is to not parse untrusted or developer-supplied configuration values through the validate function, or to switch to an alternative configuration library that does not contain the vulnerable regex [1].

References
  1. NVD - CVE-2023-26112
  2. Snyk Vulnerability Database | Snyk
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
configobjPyPI
< 5.0.95.0.9

Affected products

27

Patches

1
7c618b0bbaff

Merge pull request #236 from cdcadman/cve_2023_26112

https://github.com/DiffSK/configobjJelmer VernooijSep 17, 2024via ghsa
commit
2 files changed · +10 2
  • src/configobj/validate.py+1 1 modified
    @@ -541,7 +541,7 @@ class Validator(object):
     """
 
     # this regex does the initial parsing of the checks
-    _func_re = re.compile(r'(.+?)\((.*)\)', re.DOTALL)
+    _func_re = re.compile(r'([^\(\)]+?)\((.*)\)', re.DOTALL)
 
     # this regex takes apart keyword arguments
     _key_arg = re.compile(r'^([a-zA-Z_][a-zA-Z0-9_]*)\s*=\s*(.*)$',  re.DOTALL)
  • src/tests/test_validate_errors.py+9 1 modified
    @@ -3,7 +3,7 @@
 import pytest
 
 from configobj import ConfigObj, get_extra_values, ParseError, NestingError
-from configobj.validate import Validator
+from configobj.validate import Validator, VdtUnknownCheckError
 
 @pytest.fixture()
 def thisdir():
@@ -77,3 +77,11 @@ def test_no_parent(tmpdir, specpath):
     ini.write('[[haha]]')
     with pytest.raises(NestingError):
         conf = ConfigObj(str(ini), configspec=specpath, file_error=True)
+
+
+def test_re_dos(val):
+    value = "aaa"
+    i = 165100
+    attack = '\x00'*i + ')' + '('*i
+    with pytest.raises(VdtUnknownCheckError):
+        val.check(attack, value)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.