CVE-2021-29063
Regular Expression Denial of Service (ReDOS) vulnerability in mpmath (PyPI)
What is CVE-2021-29063 About?
This is a Regular Expression Denial of Service (ReDOS) vulnerability found in Mpmath v1.0.0. It occurs when the `mpmathify` function is called with malicious input, leading to excessive resource consumption and a denial of service. The vulnerability is relatively easy to exploit with crafted input.
Affected Software
- mpmath
- <1.3.0
- <46d44c3c8f3244017fe1eb102d564eb4ab8ef750
Technical Details
The vulnerability is a Regular Expression Denial of Service (ReDOS) affecting Mpmath v1.0.0. Specifically, when the mpmathify function is invoked, an attacker can supply a specially crafted input string that triggers catastrophic backtracking within a regular expression used by this function. Catastrophic backtracking occurs when the regex engine explores a vast number of paths to match an input, leading to exponential time complexity for certain patterns. This causes the CPU usage to spike, making the application unresponsive and effectively denying service.
What is the Impact of CVE-2021-29063?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application, leading to a denial of service where the system becomes unresponsive or crashes.
What is the Exploitability of CVE-2021-29063?
Exploiting this vulnerability generally involves providing specially crafted input to the mpmathify function. The complexity is low to medium, primarily requiring knowledge of how to construct a malicious regex payload. There are no explicit authentication or privilege requirements, as any user or process that can call mpmathify with controlled input can trigger it. This could potentially be exploited both remotely, if the function is exposed through a network-accessible service, or locally, if misused by another application. The primary risk factor is the application's exposure of the mpmathify function to untrusted input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29063?
About the Fix from Resolved Security
The patch updates the regular expression used to parse complex numbers, making the decimal component parsing more precise by requiring only one optional decimal point, which prevents catastrophic backtracking. This change fixes CVE-2021-29063 by eliminating the Regular Expression Denial of Service (ReDoS) vulnerability where crafted input could cause the regex engine to take excessive time and consume high CPU resources.
Available Upgrade Options
- mpmath
- <46d44c3c8f3244017fe1eb102d564eb4ab8ef750 → Upgrade to 46d44c3c8f3244017fe1eb102d564eb4ab8ef750
- mpmath
- <1.3.0 → Upgrade to 1.3.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fredrik-johansson/mpmath/commit/c811b37c65a4372a7ce613111d2a508c204f9833
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29063/Mpmath.md
- https://github.com/fredrik-johansson/mpmath/commit/46d44c3c8f3244017fe1eb102d564eb4ab8ef750
- https://github.com/mpmath/mpmath/pull/570
- https://osv.dev/vulnerability/PYSEC-2021-427
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MS2U6GLXQSRZJE2HVUAUMVFR2DWQLCZG
- https://github.com/yetingli/SaveResults/blob/main/js/hosted-git-info.js
- https://github.com/fredrik-johansson/mpmath/commit/46d44c3c8f3244017fe1eb102d564eb4ab8ef750
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MS2U6GLXQSRZJE2HVUAUMVFR2DWQLCZG/
- https://github.com/npm/hosted-git-info/pull/76
What are Similar Vulnerabilities to CVE-2021-29063?
Similar Vulnerabilities: CVE-2020-29651 , CVE-2021-23437 , CVE-2021-25292 , CVE-2022-24706 , CVE-2021-4122
