CVE-2021-33503

HIGH

urllib3 <1.26.5 - DoS

Title source: llm

Description

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

References (6)

[Third Party Advisory] https://github.com/advisories/GHSA-q2q7-5pp4-w6pg

[Patch, Third Party Advisory] https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec

View Patch ZIP pw:eip

[Third Party Advisory] https://security.gentoo.org/glsa/202107-36

[Patch, Third Party Advisory] https://www.oracle.com/security-alerts/cpuoct2021.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/

Scores

CVSS v3 7.5

EPSS 0.0086

EPSS Percentile 74.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-400

Status published

Affected Products (9)

python/urllib3 < 1.26.5

fedoraproject/fedora

fedoraproject/fedora

oracle/enterprise_manager_ops_center

oracle/instantis_enterprisetrack

oracle/instantis_enterprisetrack

oracle/instantis_enterprisetrack

oracle/zfs_storage_appliance_kit

pypi/urllib3 < 1.26.5PyPI

Timeline

Published Jun 29, 2021

Tracked Since Feb 18, 2026