CVE-2021-27291: 
Python vulnerability analysis and mitigation

CVE-2021-27291 affects Pygments versions 1.1+ up to 2.7.4, a syntax highlighting library for Python. The vulnerability was discovered by Ben Caller from Doyensec and disclosed in March 2021. The issue affects the lexers used to parse programming languages, which rely heavily on regular expressions (Doyensec Advisory).

The vulnerability stems from regular expressions that have exponential or cubic worst-case complexity in various lexers. Multiple vulnerable patterns were identified across different language parsers, including ODIN, CADL, Factor, Ceylon, Matlab, and others. For example, one vulnerable pattern '[+-]?(\d+)*.\d+%?' in archetype.py has exponential complexity. The CVSS v3.1 base score is 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

By crafting malicious input, an attacker can cause a denial of service (DoS) through Regular Expression Denial of Service (ReDoS). The vulnerability affects multiple programming language parsers, and when exploited, can cause the application to hang or consume excessive CPU resources (Doyensec Advisory).

The vulnerability was fixed in Pygments version 2.7.4 by modifying the regular expressions to avoid overlapping capture groups. The fix was implemented in commit 2e7e8c4 on January 11, 2021, and the patched version was released on January 12, 2021. Various Linux distributions have also released security updates to address this vulnerability (Pygments Commit).