CVE-2022-40898
Regular Expression Denial of Service vulnerability in wheel (PyPI)
What is CVE-2022-40898 About?
Wheel versions 0.37.1 and earlier, a Python packaging standard implementation, are vulnerable to a Regular Expression Denial of Service (ReDoS). This vulnerability arises from attacker-controlled input to the wheel CLI, specifically in the regex used for validating Wheel file names. Exploiting this is moderately easy by supplying a specially crafted input string.
Affected Software
Technical Details
The Python Packaging Authority (PyPA) Wheel, specifically versions 0.37.1 and earlier, contains a Regular Expression Denial of Service (ReDoS) vulnerability. This flaw is triggered when the wheel command-line interface (CLI) attempts to validate the format of Wheel file names. An attacker can provide a specially crafted input string that, when processed by the vulnerable regular expression, causes excessive backtracking. This pathological behavior leads to a significant increase in CPU consumption, effectively rendering the wheel CLI unresponsive for an extended period and resulting in a denial-of-service condition for the process attempting to validate the file name.
What is the Impact of CVE-2022-40898?
Successful exploitation may allow attackers to cause a denial of service (DoS) by monopolizing CPU resources, making the application unresponsive.
What is the Exploitability of CVE-2022-40898?
Exploitation of this ReDoS vulnerability is of moderate complexity. An attacker needs to craft a specific input string that triggers the exponential backtracking in the vulnerable regular expression. No authentication is required, as the vulnerability lies in how arbitrary input is processed by the wheel CLI. While usually a local attack vector (via CLI execution), it could be remote if the application exposes a feature that processes user-controlled Wheel file names and uses the vulnerable wheel component internally. The main prerequisite is an environment running a vulnerable version of Wheel that parses untrusted input as a Wheel file name. The risk of exploitation is heightened in automated build or packaging systems that might process untrusted user-contributed package files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40898?
About the Fix from Resolved Security
This patch strengthens the regular expression for parsing wheel filenames by replacing the generic '.+?' patterns with more restrictive character classes ([^-]+? and [^.]+?), which avoids matching separator characters within untrusted input. This prevents catastrophic backtracking and regular expression DoS, addressing CVE-2022-40898 by making the regex immune to malicious filenames specifically crafted with many hyphens or dots to trigger excessive computation.
Available Upgrade Options
- wheel
- <0.38.1 → Upgrade to 0.38.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
- https://pypi.org/project/wheel/
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages
- https://github.com/pypa/wheel
- https://github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
- https://pyup.io/vulnerabilities/CVE-2022-40898/51499
- https://github.com/pypa/advisory-database/tree/main/vulns/wheel/PYSEC-2022-43017.yaml
- https://osv.dev/vulnerability/PYSEC-2022-43017
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
- https://pypi.org/project/wheel
What are Similar Vulnerabilities to CVE-2022-40898?
Similar Vulnerabilities: CVE-2022-23514 , CVE-2022-23516 , CVE-2021-3807 , CVE-2020-15160 , CVE-2016-5120
