News

Python applications and projects using Urllib3 have a vulnerability that allows DoS attacks

Members of a hacking course discovered that Urllib3, a popular Python HTTP client, could be exposed to the exploitation of a recently discovered denial of service (DoS) vulnerability.

It is worth mentioning that this library is
used throughout the whole Python ecosystem, with more than 200 packages,
including the most popular ones such as requests, selenium, kubernetes,
among others. Given its broad capabilities, most users of one of the Python
projects are most likely using Urllib3.

In the vulnerable version (1.25.2), logic
was added to util/url.py to encode percent invalid characters in the request
target. The method _encode_invalid_chars, as written, contains all the matches of
percentage encodings, mention the participants of the hacking course.

For a URL of a certain length, the size value
of percent_encoding
corresponds to a linear runtime. The next step (normalize existing percentage
encoded bytes) also requires a linear runtime for each percentage encoding. A
threat actor could abuse this inefficiency to consume the processing resources
of a target system, which would lead to the DoS condition, which could extend
to undetermined periods.

The report was presented to the developers of
the exposed library, who in turn recognized the presence of the flaw and rushed
to release version 1.25.8, in which the DoS vulnerability has been fully
mitigated.  

As already mentioned, this is a widely used
library in Python projects, so members of the hacking course recommend
developers check if their projects use the vulnerable version of Urllib3. Many
Python packages rely on Urllib3, so the vulnerability is likely to be present
in projects as an indirect dependency, so it will not be possible for
developers to install updates, depending on the dependency on higher level.

For more information on recently encountered
security flaws, exploits, cyberattacks, and malware analysis, you can visit the
official website of the International Institute of Cyber Security
(IICS)
, as well as the official sites of tech companies.

You Might Also Like