{"id":"CVE-2020-7212","details":"The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denial of service (CPU consumption) because of an inefficient algorithm. The percent_encodings array contains all matches of percent encodings. It is not deduplicated. For a URL of length N, the size of percent_encodings may be up to O(N). The next step (normalize existing percent-encoded bytes) also takes up to O(N) for each step, so the total time is O(N^2). If percent_encodings were deduplicated, the time to compute _encode_invalid_chars would be O(kN), where k is at most 484 ((10+6*2)^2).","aliases":["GHSA-hmv2-79q8-fv6g","PYSEC-2020-149"],"modified":"2026-04-10T04:28:03.195193Z","published":"2020-03-06T20:15:12.707Z","references":[{"type":"ADVISORY","url":"https://github.com/urllib3/urllib3/blob/master/CHANGES.rst"},{"type":"ADVISORY","url":"https://pypi.org/project/urllib3/1.25.8/"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/a74c9cfbaed9f811e7563cfc3dce894928e0221a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"49eea8082ab34094d0c53f1d26e5c588d5372d74"},{"last_affected":"37ba61a8b8120cbd866d057eaa3936f4b140dee0"},{"fixed":"a74c9cfbaed9f811e7563cfc3dce894928e0221a"}],"database_specific":{"versions":[{"introduced":"1.25.2"},{"last_affected":"1.25.7"}]}}],"versions":["1.25.2","1.25.3","1.25.4","1.25.5","1.25.6","1.25.7"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-7212.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}