ReDoS vulnerability in email regex in mixin.py (feedparser ≤ 6.0.11)

Hi, I came across this potential vulnerability and previously reached out Kurt, it's been over a month so going to post it kinda publicly.

## Summary
feedparser ≤ 6.0.11 (and confirmed in the 6.0.12 dev branch) contains a ReDoS vulnerability in the email regex inside `_sync_author_detail()` in `feedparser/mixin.py`.

## Affected Code
File: `feedparser/mixin.py` ~line 746
Pattern: `(([a-zA-Z0-9\-]+\.)+)`

The nested quantifier causes O(n²) backtracking when a crafted <author> string is processed.

## Impact
An attacker hosting a malicious RSS/Atom feed can cause CPU exhaustion in any application calling `feedparser.parse(feed_url)`. Multiple <item> elements linearly amplify the impact.

## Proof of Concept
https://gist.github.com/kmanan/3ef665c68463fa3dddb593aff4ac0405

Run: `pip install feedparser && python feedparser_redos_poc.py`

## Proposed Fix
Replace the nested quantifier with a flat character class:
`[a-zA-Z0-9\-.]+` (no nesting)

The PoC includes a safe regex comparison (Part 5) confirming the fix processes identical inputs in constant/linear time.

## Disclosure Timeline
- Reported to Snyk: ~3/16/2026
- Maintainer notified: 3/9/2026
- Public disclosure: today

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

ReDoS vulnerability in email regex in mixin.py (feedparser ≤ 6.0.11) #562

Summary

Affected Code

Impact

Proof of Concept

Proposed Fix

Disclosure Timeline

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

ReDoS vulnerability in email regex in mixin.py (feedparser ≤ 6.0.11) #562

Description

Summary

Affected Code

Impact

Proof of Concept

Proposed Fix

Disclosure Timeline

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions