CVE-2021-40839

HIGH

Rencode <1.0.6 - DoS

Title source: llm

Description

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Exploits (1)

nomisec WORKING POC 1 stars

by itlabbet · poc

https://github.com/itlabbet/CVE-2021-40839

View Code ZIP pw:eip

References (7)

[Patch, Third Party Advisory] https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75

[Patch, Third Party Advisory] https://github.com/aresch/rencode/pull/29

[Third Party Advisory] https://pypi.org/project/rencode/#history

[Mailing List, Third Party Advisory] https://seclists.org/fulldisclosure/2021/Sep/16

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20211008-0001/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMVQRPDVSVZNGGX57CFKCYT3DEYO4QB6/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/

Scores

CVSS v3 7.5

EPSS 0.1384

EPSS Percentile 94.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-835

Status published

Products (4)

fedoraproject/fedora 34

fedoraproject/fedora 35

pypi/rencode 0PyPI

rencode_project/rencode < 1.0.6

Published Sep 10, 2021

Tracked Since Feb 18, 2026