The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-03-06T19:14:54

Updated: 2024-08-04T09:25:48.318Z

Reserved: 2020-01-16T00:00:00

Link: CVE-2020-7212

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-03-06T20:15:12.707

Modified: 2024-11-21T05:36:50.467

Link: CVE-2020-7212

cve-icon Redhat

Severity :

Publid Date: 2020-03-06T00:00:00Z

Links: CVE-2020-7212 - Bugzilla