GHSA-g75f-g53v-794x: Bleach linkify(parse_email=True) CPU exhaustion via unbounded email regex scanning

June 16, 2026

Bleach 6.3.0 exposes a documented email-linkification path through bleach.linkify(..., parse_email=True). The implementation scans attacker-controlled text with EMAIL_RE.finditer() over the full character token and has no length, timeout, or linear prefilter before applying the dot-atom email regex. A non-email payload around 30 KB causes multi-second CPU consumption per request/call, creating a direct availability risk for applications that enable email linkification on user-submitted text.

References

github.com/advisories/GHSA-g75f-g53v-794x
github.com/mozilla/bleach/security/advisories/GHSA-g75f-g53v-794x

Code Behaviors & Features

Detect and mitigate GHSA-g75f-g53v-794x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →