Python -- Regular Expression DoS attack against client

ID A27B0BB6-84FC-11EA-B5B4-641C67A117D8
Type freebsd
Reporter FreeBSD
Modified 2020-06-13T00:00:00


Ben Caller and Matt Schwager reports:

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.