PYSEC-2021-108 — Vulnetix

PYSEC-2021-108 PUBLISHED CVSS 8.699999809265137 HIGH

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Risk Scores

CVSS v4.0

8.699999809265137

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	urllib3	0, 0.2, 0.3

Timeline

Jun 29, 2021 CVE Published
Nov 8, 2023 CVE Updated

References

https://github.com/advisories/GHSA-q2q7-5pp4-w6pg advisory
https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec fix

Open in Interactive Console →