{"id":"PYSEC-2023-25","details":"mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.","aliases":["CVE-2021-32837","GHSA-g3pv-pj5f-3hfq"],"modified":"2023-11-08T04:06:01.863633Z","published":"2023-01-17T22:15:00Z","references":[{"type":"ADVISORY","url":"https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/"},{"type":"FIX","url":"https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6"},{"type":"WEB","url":"https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879"},{"type":"WEB","url":"https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6"}],"affected":[{"package":{"name":"mechanize","ecosystem":"PyPI","purl":"pkg:pypi/mechanize"},"ranges":[{"type":"GIT","repo":"https://github.com/python-mechanize/mechanize","events":[{"introduced":"0"},{"fixed":"dd05334448e9f39814bab044d2eaa5ef69b410d6"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.4.6"}]}],"versions":["0.0.10a","0.0.11a","0.0.1a","0.0.8a","0.0.9a","0.1.0a","0.1.10","0.1.11","0.1.1a","0.1.2b","0.1.4b","0.1.5b","0.1.6b","0.1.7b","0.1.8","0.1.9","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.3.0","0.3.1","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.4.0","0.4.1","0.4.2","0.4.3","0.4.4","0.4.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/mechanize/PYSEC-2023-25.yaml"}}],"schema_version":"1.7.3"}