CVE-2021-33503
Denial of Service vulnerability in urllib3 (PyPI)
What is CVE-2021-33503 About?
urllib3 before 1.26.5 is vulnerable to a Regular Expression Denial of Service (ReDoS) when processing URLs with many '@' characters. An attacker can supply a malicious URL to cause catastrophic backtracking in the authority regular expression. This is easy to exploit by providing a specifically malformed URL.
Affected Software
- urllib3
- <2d4a3fee6de2fa45eb82169361918f759269b4ec
- <1.26.5
- >1.25.4, <1.26.5
Technical Details
The urllib3 library, specifically versions prior to 1.26.5, contains a Regular Expression Denial of Service (ReDoS) vulnerability. The regular expression used to parse the authority component of a URL (e.g., user:pass@host:port) is prone to catastrophic backtracking when faced with input containing numerous @ characters, such as http://user@user@user@.... If a malicious URL of this format is passed to urllib3 (either directly as a parameter or via an HTTP redirect), the regex engine consumes an excessive amount of CPU resources, leading to a Denial of Service condition by blocking the application's process.
What is the Impact of CVE-2021-33503?
Successful exploitation may allow attackers to cause a Denial of Service, rendering the system or application unresponsive or unavailable.
What is the Exploitability of CVE-2021-33503?
Exploitation is of low complexity and requires no authentication or special privileges. It is a remote vulnerability, as an attacker only needs to provide a maliciously crafted URL to an application using the vulnerable urllib3 library. The primary prerequisite is that the application processes URLs that can be controlled by an attacker, for example, through user input or following HTTP redirects. The risk factors for exploitation include any publicly accessible endpoint that takes URL parameters or performs HTTP requests to user-specified destinations, making it highly susceptible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-33503?
About the Fix from Resolved Security
Available Upgrade Options
- urllib3
- <2d4a3fee6de2fa45eb82169361918f759269b4ec → Upgrade to 2d4a3fee6de2fa45eb82169361918f759269b4ec
- urllib3
- >1.25.4, <1.26.5 → Upgrade to 1.26.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://github.com/urllib3/urllib3/security/advisories/GHSA-q2q7-5pp4-w6pg
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W
- https://github.com/urllib3/urllib3/commit/5b047b645f5f93900d5e2fc31230848c25eb1f5f#diff-52026d639119bf1e0364836b4e8a18bd9ed3c95c6ba39b26534a5057a65e35bbR65
- https://github.com/urllib3/urllib3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73
- https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
- https://github.com/advisories/GHSA-q2q7-5pp4-w6pg
- https://security.gentoo.org/glsa/202107-36
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/
What are Similar Vulnerabilities to CVE-2021-33503?
Similar Vulnerabilities: CVE-2021-27292 , CVE-2021-23364 , CVE-2020-8294 , CVE-2020-28283 , CVE-2019-11324
