Description
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202107-36
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory x_refsource_confirm
https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
Patch, Third Party Advisory x_refsource_confirm
https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
Scores
CVSS v3
7.5
EPSS
0.0086
EPSS Percentile
75.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (9)
fedoraproject/fedora
33
fedoraproject/fedora
34
oracle/enterprise_manager_ops_center
12.4.0.0
oracle/instantis_enterprisetrack
17.1
oracle/instantis_enterprisetrack
17.2
oracle/instantis_enterprisetrack
17.3
oracle/zfs_storage_appliance_kit
8.8
pypi/urllib3
1.25.4 - 1.26.5PyPI
python/urllib3
1.25.4 - 1.26.5
Published
Jun 29, 2021
Tracked Since
Feb 18, 2026