Pygments ReDoS Vulnerability in AdlLexer of Archetype.py

A Regular Expression Denial of Service (ReDoS) vulnerability exists in Pygments versions prior to 2.19.2. The issue is located in the AdlLexer within the file pygments/lexers/archetype.py. The vulnerability arises from a regular expression designed to match GUIDs, which contains nested repeating quantifiers. This flaw allows for catastrophic backtracking, causing significant performance degradation by exhausting CPU resources. The vulnerability can block the application thread indefinitely when processing large, maliciously crafted input.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the application becomes unresponsive due to excessive processing time caused by the inefficient regular expression.

Reproduction

The vulnerability can be reproduced by passing a carefully crafted input string of 10,000 'A' characters followed by a hyphen to the AdlLexer. This input triggers the vulnerable regex, causing the lexer to experience a substantial delay as it struggles to process the nested quantifiers. The issue can be automated with a simple Python script that measures the elapsed time, confirming the denial-of-service impact.