SQLFluff: Recursive Stack Overflow in Parser

Vulnerability

SQLFluff versions prior to 4.1.0 contain a parser that lacks a configurable recursion limit. In deployments where untrusted users can provide SQL queries to be linted (e.g., a web linting service), a malicious user can submit a query with deliberate excessive nesting. This causes the parser to recurse deeply, triggering resource exhaustion and a Denial of Service. The vulnerability is present in all SQLFluff versions before 4.1.0, regardless of dialect or template configuration [1][2][3].

Exploitation

An attacker needs only the ability to submit a crafted SQL query to an application using the affected SQLFluff parser (no authentication required if the service is public). The attacker constructs a SQL statement with deeply nested subqueries or parentheses, beyond the parser's default recursion capacity. The query is then parsed, causing the recursive parser to consume excessive stack memory and CPU until the process crashes or becomes unresponsive [2][3].

Impact

Successful exploitation results in a Denial of Service (availability impact). The parser becomes unresponsive, potentially affecting all users of the application. There is no direct confidentiality or integrity impact, but the service disruption can lead to indirect data loss or business impact if the linter is part of a CI/CD pipeline or critical workflow [2][3].

Mitigation

Upgrade to SQLFluff version 4.1.0 or later, which introduces a configurable recursion limit enabled by default [2]. For versions prior to 4.1.0, consider restricting access to the parser to trusted users only, or applying a temporary workaround such as adding a query length limit in the calling application. No known exploitation in the wild has been reported as of the advisory publication date (May 2026), and the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog [2][3].