Popular Python library, urllib3, subject to a denial of service vulnerability

Urllib3, a powerful and popular Python http client, is subject to a newly discovered denial of service vulnerability. Urllib3 is used throughout the Python ecosystem--with more than 1,200 packages listing it as a dependency including popular packages like requests, selenium, kubernetes, and more. If you have a Python project, there is a high likelihood that you are using urllib3.

Last year we reported on a CRLF injection vulnerability in urllib3.

Denial of service vulnerability

In version 1.25.2, logic was added to util/url.py to percent-encode invalid characters in the request target. The _encode_invalid_chars method as written allows for a denial of service attack. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings correspond to a linear runtime. The next step (normalizing existing percent-encoded bytes) also takes a linear runtime for each percent encoding, resulting in a polynomial runtime (O(n2)). This inefficiency could be purposefully leveraged to consume CPU, leading to a denial of service. If the percent_encodings were deduplicated, the time to compute _encode_invalid_chars would correspond to the more efficient linear runtime.

The vulnerable method was updated in version 1.25.8 to be more efficient and is no longer vulnerable to this denial of service vulnerability.

Is my project vulnerable?

Because of the widespread use of urllib3 in the Python ecosystem, it is a good idea to check your Python projects to see if you are using the vulnerable versions. To fix the problem, update your urllib3 version to the latest current version (1.25.8). Because many Python packages depend on urllib3, it is likely that the vulnerability is present in your project as an indirect dependency, meaning that you may not be able to upgrade in every case depending on your top level dependency.

Snyk makes checking your python dependencies easy. We have a free tier which includes unlimited scans for open source projects and 200 scans every month for private repositories. Snyk recently released improved support for Python in Snyk Open Source, allowing developers to remediate vulnerabilities in dependencies with the help of automated fix pull requests. Scan your project today!

Snyk loves Python

At Snyk, we love open source and want to keep it as healthy as possible. With that goal in mind, we report on new vulnerabilities not because the packages are bad (they’re not) but because we want to help developers use open source software safely and securely.  We also want to help people who have found new vulnerabilities with responsible reporting. You can disclose vulnerabilities you’ve found or vulnerabilities that are missing within Snyk Vulnerability Database, and we’ll help you verify the vulnerability and contact the maintainer. Learn more here.