What is GHSA-73jc-5mrq-prw7?

GHSA-73jc-5mrq-prw7 is a security advisory published by GitHub Security Advisories with High severity. SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser

Which CVE IDs does GHSA-73jc-5mrq-prw7 cover?

GHSA-73jc-5mrq-prw7 covers the following CVE IDs: CVE-2026-46374. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-73jc-5mrq-prw7?

GHSA-73jc-5mrq-prw7 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-73jc-5mrq-prw7?

GHSA-73jc-5mrq-prw7 affects 1 product, including: pip/sqlfluff:\u003c 4.2.0.

GHSA-73jc-5mrq-prw7HighCVSS 7.5

SQLFluff: Uncontrolled Resource Consumption in SQLFluff Parser

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-46374 →

📋 Description

### Impact In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. ### Patches Versions 4.2.0 and up contain a configurable parse node limit, which is enabled by default, to prevent this manner of exploit. ### Credit Ori Nakar from Imperva Threat Research Team.

🎯 Affected products1

pip/sqlfluff:< 4.2.0

🔗 References (2)

https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-73jc-5mrq-prw7
https://github.com/advisories/GHSA-73jc-5mrq-prw7