Intel

AIKIDO-2026-829845

geopy is vulnerable to Regular Expression Denial of Service (ReDoS)

Regular Expression Denial of Service (ReDoS)GHSA-mhvh-fq92-pfmr Published Today

40

Medium Risk

This Affects:

PYTHONgeopy
0.0.1 - 2.4.1
Fixed in 2.5.0
Are you affected? Scan for Free

TL;DR

geopy.Point.from_string parses coordinate strings using a regular expression that exhibits catastrophic backtracking on long, malformed inputs. An attacker who can supply an arbitrarily long coordinate-like string to any code path that calls from_string — including reverse geocoder results — can cause the regex engine to consume excessive CPU and hang the process. The fix enforces a hard input length limit of 256 characters and raises ValueError for longer strings before the regex is applied.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input to geopy.Point.from_string or to geocoder code paths that parse coordinate strings.

Background info

geopy is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 0.0.1 - 2.4.1.

How to fix this

Upgrade the geopy library to the patch version.