CVE-2023-49083
Regular Expression Denial of Service (ReDoS) vulnerability in cryptography (PyPI)
What is CVE-2023-49083 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the `huggingface/transformers` library, specifically in `tokenization_nougat_fast.py`. It allows attackers to trigger excessive CPU usage and application downtime via specially crafted input, leading to a denial of service. Exploitation is moderately easy, requiring specific input patterns.
Affected Software
- cryptography
- >3.1, <41.0.6
- <f09c261ca10a31fe41b1262306db7f8f1da0e48a
Technical Details
The ReDoS vulnerability is present in the post_process_single() function within tokenization_nougat_fast.py of the huggingface/transformers library (v4.46.3). The flaw stems from a regular expression exhibiting exponential time complexity under certain input conditions. When a specially crafted string is provided, the regex engine engages in excessive backtracking, consuming significant CPU resources. This prolonged processing time for a single input effectively starves the application of resources, leading to a Denial of Service (DoS) by making the application unresponsive and potentially causing downtime. The vulnerability doesn't require any special privileges or authentication, only the ability to supply input that is processed by the vulnerable function.
What is the Impact of CVE-2023-49083?
Successful exploitation may allow attackers to cause an application to become unresponsive, leading to denial of service, resource exhaustion, and potential downtime for affected services.
What is the Exploitability of CVE-2023-49083?
Exploitation of this ReDoS vulnerability involves crafting a specific input string that triggers the exponential time complexity of the regular expression. This typically requires some understanding of regex behavior and can be of moderate complexity. There are no authentication or privilege requirements, as the attack vector is simply submitting data to an endpoint that processes it with the vulnerable regex function. The attack can be initiated remotely. The primary risk factors are public-facing endpoints that accept arbitrary user input and pass it to the post_process_single() function, as well as applications running on resource-constrained environments that are more susceptible to CPU exhaustion.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49083?
Available Upgrade Options
- cryptography
- <f09c261ca10a31fe41b1262306db7f8f1da0e48a → Upgrade to f09c261ca10a31fe41b1262306db7f8f1da0e48a
- cryptography
- >3.1, <41.0.6 → Upgrade to 41.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://osv.dev/vulnerability/PYSEC-2023-254
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://github.com/pyca/cryptography/pull/9926
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
What are Similar Vulnerabilities to CVE-2023-49083?
Similar Vulnerabilities: CVE-2023-45133 , CVE-2023-38408 , CVE-2023-38407 , CVE-2023-38406 , CVE-2023-38405
