CVE-2024-3772 in Pydantic
Summary
by MITRE • 04/15/2024
Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/09/2025
The vulnerability identified as CVE-2024-3772 represents a critical security flaw in the Pydantic validation library that affects versions prior to 2.4.0 and 1.10.13. This issue manifests as a regular expression denial of service vulnerability that specifically targets email address validation functionality within the library. The flaw arises from the use of inefficient regular expressions that can be exploited through carefully crafted malicious input strings, creating a potential avenue for remote attackers to disrupt system availability and service operations.
The technical root cause of this vulnerability lies in the implementation of regular expression patterns used for email validation within Pydantic's schema validation mechanisms. When processing email addresses, the library employs regular expressions that are susceptible to catastrophic backtracking under specific input conditions. This occurs when an attacker crafts an email string that causes the regular expression engine to perform exponential time complexity operations, leading to significant computational overhead and resource exhaustion. The vulnerability is particularly dangerous because email validation is a common operation in web applications, making it an attractive target for denial of service attacks that can impact a wide range of systems relying on Pydantic for data validation.
From an operational perspective, this vulnerability presents a substantial risk to organizations that utilize Pydantic for input validation in their applications. Attackers can exploit this weakness by submitting maliciously crafted email strings that trigger the vulnerable regular expression patterns, resulting in denial of service conditions that can exhaust system resources such as CPU and memory. The impact extends beyond simple service disruption as it can affect application availability, potentially leading to cascading failures in dependent systems and services. The vulnerability is particularly concerning in high-traffic applications where a single malicious request can cause significant performance degradation or complete service unavailability, making it a prime target for distributed denial of service attacks.
Organizations should immediately prioritize upgrading their Pydantic installations to versions 2.4.0 or 1.10.13 and later to remediate this vulnerability. The mitigation strategy should include comprehensive testing of the upgraded library to ensure compatibility with existing application code and validation logic. Additionally, implementing input validation at multiple layers of the application architecture can provide defense-in-depth protection against similar vulnerabilities. Network-level protections such as rate limiting and input sanitization can serve as interim measures while full upgrades are implemented. Security teams should also monitor for any related vulnerabilities in the broader Python ecosystem that might affect similar validation libraries, as this type of vulnerability often indicates broader patterns in regular expression usage that could affect other components.
This vulnerability aligns with CWE-400 which specifically addresses "Uncontrolled Resource Consumption" and demonstrates how improper regular expression design can lead to resource exhaustion attacks. The attack pattern follows typical denial of service methodologies described in the ATT&CK framework under the "Resource Exhaustion" technique, where adversaries consume system resources to prevent legitimate users from accessing services. The vulnerability also reflects common issues in software development practices related to input validation and regular expression security, highlighting the importance of proper security testing and code review processes in preventing such flaws from reaching production environments.