{"ecosystem":"pypi","package":"pydantic","version":null,"bugs":[{"id":354,"ecosystem":"pypi","package_name":"pydantic","affected_version":null,"fixed_version":"7e83fdd2563ffac081db7ecdf1affa65ef38c468","bug_id":"osv:PYSEC-2021-47","title":"PYSEC-2021-47: advisory","description":"Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic) soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you absolutely can't upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/) to catch these values. This is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh","labels":["CVE-2021-29510","GHSA-5jqp-qgf6-3pvh"],"created_at":"2026-04-19T04:31:20.471247+00:00","updated_at":"2026-04-19T04:31:20.471247+00:00"},{"id":353,"ecosystem":"pypi","package_name":"pydantic","affected_version":"2.0.0","fixed_version":"2.4.0","bug_id":"osv:GHSA-mr82-8j83-vxmv","title":"Pydantic regular expression denial of service","description":"Regular expression denial of service in Pydantic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3772","labels":["CVE-2024-3772"],"created_at":"2026-04-19T04:31:20.470639+00:00","updated_at":"2026-04-19T04:31:20.470639+00:00"},{"id":352,"ecosystem":"pypi","package_name":"pydantic","affected_version":null,"fixed_version":"1.6.2","bug_id":"osv:GHSA-5jqp-qgf6-3pvh","title":"Use of \"infinity\" as an input to datetime and date fields causes infinite loop in pydantic","description":"\nImpact\n\nPassing either 'infinity', 'inf' or float('inf') (or their negatives) to datetime or date fields causes validation to run forever with 100% CPU usage (on one CPU).\nPatches\n\nPydantic is be patched with fixes available in the following versions:\n\n    v1.8.2\n    v1.7.4\n    v1.6.2\n\nAll these versions are available on pypi, and will be available on conda-forge soon.\n\nSee the changelog for details.\nWorkarounds\n\nIf you absolutely can't upgrade, you can work around this risk using a validator to catch these values, brief demo:\n\nfrom datetime import date\nfrom pydantic import BaseModel, validator\n\nclass DemoModel(BaseModel):\n    date_of_birth: date\n\n    @validator('date_of_birth', pre=True)\n    def skip_infinite_values(cls, v):\n        try:\n            seconds = float(v)\n        except (ValueError, TypeError):\n            return v\n        else:\n            if seconds == float('inf'):\n                return date.max\n            elif seconds == float('-inf'):\n                return date.min\n            else:\n                return seconds\n\nNote: this is not an ideal solution (in particular you'll need a slightly different function for datetimes), instead of a hack like this you should upgrade pydantic.\n\nIf you are not using v1.8.x, v1.7.x or v1.6.x and are unable to upgrade to a fixed version of pydantic, please create an issue requesting a back-port, and we will endeavour to release a patch for earlier versions of pydantic.\nReferences\n\nThis was fixed in commit 7e83fdd.\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh","labels":["CVE-2021-29510","PYSEC-2021-47"],"created_at":"2026-04-19T04:31:20.469557+00:00","updated_at":"2026-04-19T04:31:20.469557+00:00"},{"id":21,"ecosystem":"pypi","package_name":"pydantic","affected_version":"2.5.0","fixed_version":"2.5.2","bug_id":"github:#8185","title":"model_dump with mode='json' loses timezone on datetime fields","description":"datetime fields with timezone info were serialized as naive strings in 2.5.0. Fixed in 2.5.2.","severity":"medium","status":"closed","source":"github_issues","source_url":"https://github.com/pydantic/pydantic/issues/8185","labels":["bug","serialization","datetime"],"created_at":"2026-04-19T03:24:37.026210+00:00","updated_at":"2026-04-19T03:25:24.808390+00:00"}],"total":4,"_cache":"miss"}