Black Code Formatter CVE-2024-21503: ReDoS Vulnerability in `lines_with_leading_tabs_expanded` Function

A critical security vulnerability, CVE-2024-21503, has been identified in the widely-used Python code formatter `black`. The flaw, a Regular Expression Denial of Service (ReDoS), resides in the `lines_with_leading_tabs_expanded` function within the `strings.py` file. This vulnerability affects all versions of `black` prior to 24.3.0, creating a direct attack vector for denial-of-service by submitting maliciously crafted input to the tool.

The vulnerability is triggered when `black` processes untrusted code. An attacker can exploit the inefficient regular expression in the vulnerable function to cause catastrophic CPU consumption, effectively hanging the formatter and disrupting automated development pipelines, CI/CD systems, and local developer workflows that rely on `black` for code standardization. The update from version 23.0.0 to 26.0.0, as highlighted in the automated Renovatebot pull request, is a direct security patch to mitigate this risk.

The exposure is significant given `black`'s role as a foundational dev tool. Its integration into pre-commit hooks, linting stages, and automated formatting scripts means the vulnerability could be weaponized to stall software delivery and build processes. The autoclosure of the dependency update PR underscores the urgency, treating the outdated version as an active security liability. Organizations and developers must prioritize upgrading to `black` version 24.3.0 or later to close this attack surface.