This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9.-]+.[a-zA-Z0-9.-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
github.com/pallets/jinja
github.com/pallets/jinja/blob/ab81fd9c277900c85da0c322a2ff9d68a235b2e6/src/jinja2/utils.py%23L20
github.com/pallets/jinja/commit/15ef8f09b659f9100610583938005a7a10472d4d
github.com/pallets/jinja/pull/1343
lists.fedoraproject.org/archives/list/[email protected]/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4
nvd.nist.gov/vuln/detail/CVE-2020-28493
security.gentoo.org/glsa/202107-19
snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994