Python applications and projects using Urllib3 have a vulnerability that allows DoS attacks

Members of a hacking course discovered that Urllib3, a popular Python HTTP client, could be exposed to the exploitation of a recently discovered denial of service (DoS) vulnerability.

It is worth mentioning that this library is used throughout the whole Python ecosystem, with more than 200 packages, including the most popular ones such as requests, selenium, kubernetes, among others. Given its broad capabilities, most users of one of the Python projects are most likely using Urllib3.

In the vulnerable version (1.25.2), logic was added to util/ to encode percent invalid characters in the request target. The method _encode_invalid_chars, as written, contains all the matches of percentage encodings, mention the participants of the hacking course.

For a URL of a certain length, the size value of percent_encoding corresponds to a linear runtime. The next step (normalize existing percentage encoded bytes) also requires a linear runtime for each percentage encoding. A threat actor could abuse this inefficiency to consume the processing resources of a target system, which would lead to the DoS condition, which could extend to undetermined periods.

The report was presented to the developers of the exposed library, who in turn recognized the presence of the flaw and rushed to release version 1.25.8, in which the DoS vulnerability has been fully mitigated.  

As already mentioned, this is a widely used library in Python projects, so members of the hacking course recommend developers check if their projects use the vulnerable version of Urllib3. Many Python packages rely on Urllib3, so the vulnerability is likely to be present in projects as an indirect dependency, so it will not be possible for developers to install updates, depending on the dependency on higher level.

For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official sites of tech companies.