GHSA-27jp-wm6q-gp25: sqlparse: formatting list of tuples leads to denial of service

February 13, 2026

The below gist hangs while attempting to format a long list of tuples.

This was found while drafting a regression test for Dja ngo 5.2’s composite primary key feature, which allows querying composite fields with tuples.

References

github.com/advisories/GHSA-27jp-wm6q-gp25
github.com/andialbrecht/sqlparse
github.com/andialbrecht/sqlparse/commit/40ed3aa958657fa4a82055927fa9de70ab903360
github.com/andialbrecht/sqlparse/releases/tag/0.5.4
github.com/andialbrecht/sqlparse/security/advisories/GHSA-27jp-wm6q-gp25

Code Behaviors & Features

Detect and mitigate GHSA-27jp-wm6q-gp25 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →