geopy is vulnerable to Regular Expression Denial of Service (ReDoS)
40
Medium Risk
geopy.Point.from_string parses coordinate strings using a regular expression that exhibits catastrophic backtracking on long, malformed inputs. An attacker who can supply an arbitrarily long coordinate-like string to any code path that calls from_string — including reverse geocoder results — can cause the regex engine to consume excessive CPU and hang the process. The fix enforces a hard input length limit of 256 characters and raises ValueError for longer strings before the regex is applied.
You are affected if you are using a version that falls within the vulnerable range and your application passes untrusted input to geopy.Point.from_string or to geocoder code paths that parse coordinate strings.
geopy is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 0.0.1 - 2.4.1.
Upgrade the geopy library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant