Hi, I came across this potential vulnerability and previously reached out Kurt, it's been over a month so going to post it kinda publicly.
Summary
feedparser ≤ 6.0.11 (and confirmed in the 6.0.12 dev branch) contains a ReDoS vulnerability in the email regex inside _sync_author_detail() in feedparser/mixin.py.
Affected Code
File: feedparser/mixin.py ~line 746
Pattern: (([a-zA-Z0-9\-]+\.)+)
The nested quantifier causes O(n²) backtracking when a crafted string is processed.
Impact
An attacker hosting a malicious RSS/Atom feed can cause CPU exhaustion in any application calling feedparser.parse(feed_url). Multiple elements linearly amplify the impact.
Proof of Concept
https://gist.github.com/kmanan/3ef665c68463fa3dddb593aff4ac0405
Run: pip install feedparser && python feedparser_redos_poc.py
Proposed Fix
Replace the nested quantifier with a flat character class:
[a-zA-Z0-9\-.]+ (no nesting)
The PoC includes a safe regex comparison (Part 5) confirming the fix processes identical inputs in constant/linear time.
Disclosure Timeline
- Reported to Snyk: ~3/16/2026
- Maintainer notified: 3/9/2026
- Public disclosure: today
Hi, I came across this potential vulnerability and previously reached out Kurt, it's been over a month so going to post it kinda publicly.
Summary
feedparser ≤ 6.0.11 (and confirmed in the 6.0.12 dev branch) contains a ReDoS vulnerability in the email regex inside
_sync_author_detail()infeedparser/mixin.py.Affected Code
File:
feedparser/mixin.py~line 746Pattern:
(([a-zA-Z0-9\-]+\.)+)The nested quantifier causes O(n²) backtracking when a crafted string is processed.
Impact
An attacker hosting a malicious RSS/Atom feed can cause CPU exhaustion in any application calling
feedparser.parse(feed_url). Multiple elements linearly amplify the impact.Proof of Concept
https://gist.github.com/kmanan/3ef665c68463fa3dddb593aff4ac0405
Run:
pip install feedparser && python feedparser_redos_poc.pyProposed Fix
Replace the nested quantifier with a flat character class:
[a-zA-Z0-9\-.]+(no nesting)The PoC includes a safe regex comparison (Part 5) confirming the fix processes identical inputs in constant/linear time.
Disclosure Timeline