{"id":"CVE-2021-33503","details":"An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.","aliases":["GHSA-q2q7-5pp4-w6pg","PYSEC-2021-108"],"modified":"2026-04-16T04:38:54.584275654Z","published":"2021-06-29T11:15:07.847Z","related":["ALSA-2021:4160","ALSA-2021:4162","GHSA-q2q7-5pp4-w6pg","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-RU-2021:2194-1","SUSE-SU-2021:2012-1","SUSE-SU-2021:2195-1","openSUSE-SU-2021:2012-1","openSUSE-SU-2024:11277-1","openSUSE-SU-2024:12944-1","openSUSE-SU-2024:14055-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6SCV7ZNAHS3E6PBFLJGENCDRDRWRZZ6W/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FMUGWEAUYGGHTPPXT6YBD53WYXQGVV73/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-36"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-q2q7-5pp4-w6pg"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/urllib3/urllib3","events":[{"introduced":"7e856c04723036934fe314c63701466e4f42d2ee"},{"fixed":"d1616473df94b94f0f5ad19d2a6608cfe93b7cdf"},{"fixed":"2d4a3fee6de2fa45eb82169361918f759269b4ec"}],"database_specific":{"versions":[{"introduced":"1.25.4"},{"fixed":"1.26.5"}]}}],"versions":["1.25.4","1.25.5","1.25.6","1.25.7","1.25.8","1.26.0","1.26.1","1.26.2","1.26.3","1.26.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33503.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]},{"events":[{"introduced":"0"},{"last_affected":"12.4.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"17.1"}]},{"events":[{"introduced":"0"},{"last_affected":"17.2"}]},{"events":[{"introduced":"0"},{"last_affected":"17.3"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}