High severity7.5NVD Advisory· Published Apr 30, 2024· Updated Apr 15, 2026

CVE-2024-4340

Description

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sqlparsePyPI	< 0.5.0	0.5.0

Patches

b4a39d985096

Raise SQLParseError instead of RecursionError.

https://github.com/andialbrecht/sqlparseAndi AlbrechtApr 13, 2024via ghsa

commit

3 files changed · +30 −6

CHANGELOG+5 −0 modified

@@ -5,6 +5,11 @@ Notable Changes
 
 * Drop support for Python 3.5, 3.6, and 3.7.
 * Python 3.12 is now supported (pr725, by hugovk).
+* IMPORTANT: Fixes a potential denial of service attack (DOS) due to recursion
+  error for deeply nested statements. Instead of recursion error a generic
+  SQLParseError is raised. See the security advisory for details:
+  https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-2m57-hf25-phgg
+  The vulnerability was discovered by @uriyay-jfrog. Thanks for reporting!
 
 Enhancements:

sqlparse/sql.py+9 −5 modified

@@ -10,6 +10,7 @@
 import re
 
 from sqlparse import tokens as T
+from sqlparse.exceptions import SQLParseError
 from sqlparse.utils import imt, remove_quotes
 
 
@@ -209,11 +210,14 @@ def flatten(self):
 
         This method is recursively called for all child tokens.
         """
-        for token in self.tokens:
-            if token.is_group:
-                yield from token.flatten()
-            else:
-                yield token
+        try:
+            for token in self.tokens:
+                if token.is_group:
+                    yield from token.flatten()
+                else:
+                    yield token
+        except RecursionError as err:
+            raise SQLParseError('Maximum recursion depth exceeded') from err
 
     def get_sublists(self):
         for token in self.tokens:

tests/test_regressions.py+16 −1 modified

@@ -1,9 +1,11 @@
 import copy
+import sys
 
 import pytest
 
 import sqlparse
 from sqlparse import sql, tokens as T
+from sqlparse.exceptions import SQLParseError
 
 
 def test_issue9():
@@ -449,4 +451,17 @@ def test_copy_issue672():
 def test_primary_key_issue740():
     p = sqlparse.parse('PRIMARY KEY')[0]
     assert len(p.tokens) == 1
-    assert p.tokens[0].ttype == T.Keyword
\ No newline at end of file
+    assert p.tokens[0].ttype == T.Keyword
+
+
+@pytest.fixture
+def limit_recursion():
+    curr_limit = sys.getrecursionlimit()
+    sys.setrecursionlimit(70)
+    yield
+    sys.setrecursionlimit(curr_limit)
+
+
+def test_max_recursion(limit_recursion):
+    with pytest.raises(SQLParseError):
+        sqlparse.parse('[' * 100 + ']' * 100)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.010
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000