GHSA-hmv2-79q8-fv6g

Suggest an improvement
Source
https://github.com/advisories/GHSA-hmv2-79q8-fv6g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-hmv2-79q8-fv6g/GHSA-hmv2-79q8-fv6g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hmv2-79q8-fv6g
Aliases
Published
2021-04-30T17:31:43Z
Modified
2024-02-17T05:35:52.988346Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Uncontrolled Resource Consumption in urllib3
Details

The encodeinvalidchars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percentencodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percentencodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percentencodings were deduplicated, the time to compute encodeinvalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).

References

Affected packages

PyPI / urllib3

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.25.2
Fixed
1.25.8

Affected versions

1.*

1.25.2
1.25.3
1.25.4
1.25.5
1.25.6
1.25.7

Database specific

{
    "last_known_affected_version_range": "<= 1.25.7"
}