CVE-2020-10735 Overview
A vulnerability was discovered in Python's integer string conversion functions that allows for denial of service attacks through algorithmic complexity exploitation. When using int("text") with non-binary bases, the parsing algorithm exhibits quadratic time complexity, allowing an attacker to cause significant CPU consumption. For example, parsing an integer string with 100,000 digits takes approximately 50ms, while 1,000,000 digits can take up to 5 seconds. This vulnerability specifically impacts system availability and can be exploited remotely without authentication.
Critical Impact
Attackers can exploit this algorithmic complexity vulnerability to cause denial of service conditions by submitting extremely large integer strings to Python applications, consuming excessive CPU resources and potentially making systems unresponsive.
Affected Products
- Python (multiple versions including 3.11.0 alpha/beta/rc releases)
- Red Hat Quay 3.0.0
- Red Hat Software Collections
- Red Hat Enterprise Linux 8.0
- Fedora 35, 36, and 37
Discovery Timeline
- 2022-09-09 - CVE-2020-10735 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2020-10735
Vulnerability Analysis
This vulnerability exists in Python's integer parsing implementation, specifically affecting the int() function when converting string representations of numbers using non-binary bases (bases other than 2, 4, 8, 16, and 32). The underlying algorithm for these conversions has quadratic time complexity O(n²), where n is the number of digits in the input string. This algorithmic inefficiency becomes exploitable when processing extremely large digit strings, as the processing time grows dramatically with input size.
The vulnerability does not affect binary base conversions (int.from_bytes(), and int() for bases 2, 4, 8, 16, and 32), float() conversions, or decimal operations. The primary threat is to system availability, as an attacker can craft malicious input strings that cause Python processes to consume excessive CPU cycles.
Root Cause
The root cause is an algorithmic complexity issue (CWE-704: Incorrect Type Conversion or Cast) in Python's integer string parsing routines. When converting large strings to integers using non-binary bases (such as base 10), the implementation uses an algorithm with quadratic time complexity rather than a more efficient approach. This allows processing time to increase exponentially with input size, creating an exploitable condition for resource exhaustion attacks.
Attack Vector
The attack can be executed remotely over a network without requiring authentication or user interaction. An attacker needs to identify Python applications that accept user-controlled input and pass it to the int() function or similar conversion routines. By submitting strings containing an extremely large number of digits, the attacker can force the Python interpreter to spend excessive time parsing the input.
Common attack scenarios include:
- Web applications that parse user-supplied numeric input
- APIs that convert string parameters to integers
- Data processing pipelines that handle external numeric data
- Any service that deserializes or parses numeric strings from untrusted sources
Detection Methods for CVE-2020-10735
Indicators of Compromise
- Unusually high CPU utilization in Python processes without corresponding increases in legitimate workload
- Python interpreter processes becoming unresponsive or timing out
- Application logs showing extremely long processing times for requests containing numeric data
- Network traffic containing HTTP requests or API calls with unusually large numeric string payloads
Detection Strategies
- Monitor Python process CPU usage patterns and alert on sustained high utilization
- Implement application-layer logging to track processing times for numeric conversion operations
- Deploy web application firewalls (WAF) with rules to detect and block requests containing extremely long numeric strings
- Use endpoint detection and response (EDR) solutions to identify anomalous Python process behavior
Monitoring Recommendations
- Configure alerts for Python processes exceeding CPU thresholds for extended periods
- Monitor application response times and set thresholds for numeric parsing operations
- Track request payload sizes and flag requests with unusually large numeric string parameters
- Implement logging of input string lengths for int() conversion operations in critical applications
How to Mitigate CVE-2020-10735
Immediate Actions Required
- Update Python to patched versions that include integer string conversion limits (Python 3.11+, or backported versions for 3.10, 3.9, 3.8, 3.7)
- Implement input validation to reject numeric strings exceeding reasonable length thresholds before passing to int()
- Deploy rate limiting on endpoints that process user-supplied numeric data
- Review application code to identify all locations where user input is converted to integers
Patch Information
Security patches have been released by the Python Software Foundation and various Linux distributions. Refer to the GitHub CPython Issue #95778 for official patch information. Red Hat has released advisories for affected products - see Red Hat CVE-2020-10735 Details for RHEL-specific guidance. Fedora and Debian have also released updated packages addressing this vulnerability.
Workarounds
- Set the PYTHONINTMAXSTRDIGITS environment variable to limit the maximum number of digits in integer string conversions (available in patched versions)
- Implement application-level input validation to reject numeric strings exceeding a maximum length (e.g., 4300 digits, which is the default limit in patched versions)
- Use input sanitization middleware or WAF rules to filter requests with excessively long numeric strings
- Consider using alternative parsing methods for extremely large numbers if legitimate use cases require them
# Configuration example - Set integer string digit limit
export PYTHONINTMAXSTRDIGITS=4300
# Or configure in Python code (Python 3.11+)
# import sys
# sys.set_int_max_str_digits(4300)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
