MEDIUM 5.9
PYSEC-2026-909
pymatgen is vulnerable to Regular Expression Denial of Service (ReDoS)
Details
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the `GaussianInput.from_string` method.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / pymatgen
Introduced in:
0 Fixed in: 2025.10.7 Fix
pip install --upgrade 'pymatgen>=2025.10.7' References
- https://nvd.nist.gov/vuln/detail/CVE-2022-42964 [ADVISORY]
- https://github.com/materialsproject/pymatgen/issues/2755 [WEB]
- https://github.com/materialsproject/pymatgen [PACKAGE]
- https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184 [WEB]
- https://pypi.org/project/pymatgen [PACKAGE]
- https://github.com/advisories/GHSA-5jqp-885w-xj32 [ADVISORY]
- https://github.com/materialsproject/pymatgen/pull/4476 [FIX]
- https://github.com/materialsproject/pymatgen/commit/8d2ca2296109f9e5a4ac1c751eee650ab4303108 [FIX]