GHSA-27JP-WM6Q-GP25: Death by Parentheses: The sqlparse Recursive DoS

Death by Parentheses: The sqlparse Recursive DoS Vulnerability ID: GHSA-27JP-WM6Q-GP25 CVSS Score: 6.5 Published: 2026-02-13 A high-impact Denial of Service vulnerability in the ubiquitous sqlparse Python library allows attackers to exhaust server CPU and memory via deeply nested SQL statements. By exploiting unchecked recursion in the grouping engine, a crafted payload containing massive lists of tuples can crash applications using this library for logging, formatting, or analysis. TL;DR The sqlparse library prior to version 0.5.4 contains a recursive looping flaw. Attackers can trigger a Denial of Service by sending SQL queries with massive lists of tuples (e.g., in IN clauses), causing the parser to hit recursion limits or hang the CPU. Patch by upgrading to 0.5.4, which introduces circuit breakers. ⚠️ Exploit Status: POC Technical Details Vulnerability Type : Denial of Service (DoS) CWE ID : CWE-400 / CWE-674 CVSS (Estimated) : 6.5 (Medium) Attack Vector : Network (via crafted SQL

GHSA-27JP-WM6Q-GP25: Death by Parentheses: The sqlparse Recursive DoS

Related Articles

Smart Ward Assistant

I Built a SaaS App on a Broken Phone with Zero Budget - Here’s What Happened

The Developer Took Revenge on the Manager — But Not the Way You’d Expect

Your Reference Types Are Breaking Encapsulation — Here’s Why

Understanding the Go Runtime: The Bootstrap

Related Articles

News
Smart Ward Assistant
Medium Programming • 20m ago

News
I Built a SaaS App on a Broken Phone with Zero Budget - Here’s What Happened
Medium Programming • 29m ago

News
The Developer Took Revenge on the Manager — But Not the Way You’d Expect
Medium Programming • 58m ago

News
Your Reference Types Are Breaking Encapsulation — Here’s Why
Medium Programming • 1h ago

News
Understanding the Go Runtime: The Bootstrap
Lobsters • 1h ago