CVE-2019-19274: Out-of-bounds Read

November 26, 2019 (updated December 9, 2019)

typed_ast has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code.

References

bugs.python.org/issue36495
nvd.nist.gov/vuln/detail/CVE-2019-19274

Detect and mitigate CVE-2019-19274 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →