CVE-2020-8492 Overview
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. This vulnerability affects the core Python HTTP client library, making any Python application using urllib for HTTP requests with Basic Authentication potentially vulnerable to denial of service attacks from malicious servers.
Critical Impact
A malicious HTTP server can cause Python clients to hang indefinitely by sending specially crafted WWW-Authenticate headers that trigger catastrophic regex backtracking in the Basic Authentication handler, leading to denial of service.
Affected Products
- Python 2.7 through 2.7.17
- Python 3.5 through 3.5.9
- Python 3.6 through 3.6.10
- Python 3.7 through 3.7.6
- Python 3.8 through 3.8.1
- openSUSE Leap 15.1
- Canonical Ubuntu Linux (12.04, 14.04, 16.04, 18.04, 19.10, 20.04)
- Fedora 31 and 32
- Debian Linux 9.0
Discovery Timeline
- 2020-01-30 - CVE-2020-8492 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-8492
Vulnerability Analysis
This vulnerability exists in Python's urllib.request.AbstractBasicAuthHandler class, which handles HTTP Basic Authentication challenges. The handler uses a regular expression to parse the WWW-Authenticate header returned by HTTP servers. The regex pattern contains nested quantifiers that exhibit catastrophic backtracking behavior when processing specially crafted input strings.
When a Python client makes an HTTP request to a malicious server, the server can respond with a WWW-Authenticate header containing a carefully constructed string that causes the regex engine to enter an exponentially growing number of backtracking operations. This results in the client's CPU becoming fully consumed while attempting to match the pattern, effectively creating a denial of service condition where the application becomes unresponsive.
The vulnerability is particularly concerning because it inverts the typical DoS attack model—instead of clients attacking servers, this allows servers to attack clients. Any Python application that uses urllib.request to fetch resources from untrusted URLs could be affected.
Root Cause
The root cause is a poorly constructed regular expression pattern in the AbstractBasicAuthHandler class that processes HTTP Basic Authentication challenges. The regex contains overlapping quantifiers that can match the same input in multiple ways, leading to catastrophic backtracking when the input is crafted to maximize these ambiguities. This is classified as CWE-400 (Uncontrolled Resource Consumption), as the vulnerability allows an attacker to consume excessive CPU resources on the victim's system.
Attack Vector
The attack is network-based and requires user interaction in the sense that the victim's Python application must make an HTTP request to a malicious server. The attacker must control or compromise an HTTP server that the victim application connects to. When the client sends a request, the malicious server responds with a 401 Unauthorized status code along with a WWW-Authenticate: Basic header containing a malformed realm parameter designed to trigger catastrophic regex backtracking.
The attack mechanism relies on the regex engine's backtracking behavior. By providing input that partially matches the pattern in many different ways, the attacker forces the regex engine to explore an exponentially growing number of possibilities before determining a final match or mismatch.
Detection Methods for CVE-2020-8492
Indicators of Compromise
- Python processes exhibiting 100% CPU usage during HTTP client operations
- Application hangs or timeouts when making HTTP requests to external servers
- Unusual WWW-Authenticate headers in HTTP response logs containing long or repetitive strings
- Network connections to HTTP servers that remain open indefinitely without completing
Detection Strategies
- Monitor Python application performance for sudden CPU spikes correlated with outbound HTTP requests
- Implement HTTP response header logging and analyze WWW-Authenticate headers for abnormally long or suspicious content
- Use application-level timeouts on HTTP operations to detect and recover from potential ReDoS conditions
- Deploy network monitoring to identify HTTP 401 responses with unusually large header sizes
Monitoring Recommendations
- Enable detailed logging for urllib HTTP client operations in Python applications
- Set up alerting for Python process CPU utilization exceeding normal thresholds
- Monitor application response times and flag requests that exceed expected duration
- Track HTTP error rates, particularly 401 responses from untrusted external servers
How to Mitigate CVE-2020-8492
Immediate Actions Required
- Upgrade Python to a patched version: 2.7.18+, 3.5.10+, 3.6.11+, 3.7.7+, or 3.8.2+
- Review applications for urllib usage with Basic Authentication against untrusted servers
- Implement request timeouts as a defense-in-depth measure for all HTTP client operations
- Consider using alternative HTTP libraries such as requests with explicit timeout configurations
Patch Information
The Python Software Foundation has addressed this vulnerability in subsequent Python releases. The fix modifies the regular expression pattern in urllib.request.AbstractBasicAuthHandler to eliminate the catastrophic backtracking condition. For detailed information on the fix, refer to the Python Issue Tracker Entry and the GitHub PR #18284.
Distribution-specific patches are available from:
- Ubuntu Security Notice #4333-1
- Debian LTS Announcement
- Gentoo GLSA 2020-05-09
- Fedora Package Announcements
Workarounds
- Implement socket-level timeouts using socket.setdefaulttimeout() to prevent indefinite hangs
- Use HTTP client libraries with built-in timeout functionality instead of raw urllib
- Deploy a proxy layer that inspects and sanitizes incoming HTTP headers before they reach Python applications
- Restrict outbound HTTP requests to trusted, known-good servers when possible
# Configuration example - Setting default socket timeout
python -c "import socket; socket.setdefaulttimeout(30)"
# Or in application code, ensure timeouts are set:
# import socket
# socket.setdefaulttimeout(30) # 30 second timeout
# Using requests library with explicit timeout (recommended alternative)
# pip install requests
# import requests
# response = requests.get(url, timeout=30)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
