CVE-2021-33503: Python Urllib3 DOS Vulnerability

CVE-2021-33503 Overview

CVE-2021-33503 is a Regular Expression Denial of Service (ReDoS) vulnerability discovered in Python's urllib3 library before version 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service. This vulnerability can be triggered if a malicious URL is passed as a parameter or if an application follows an HTTP redirect to a crafted URL.

Critical Impact
Applications using vulnerable versions of urllib3 can be rendered unresponsive through crafted URLs containing multiple @ characters, leading to CPU exhaustion and denial of service conditions.

Affected Products

Python urllib3 (versions before 1.26.5)
Fedora Project Fedora 33 and 34
Oracle Enterprise Manager Ops Center 12.4.0.0
Oracle Instantis EnterpriseTrack 17.1, 17.2, and 17.3
Oracle ZFS Storage Appliance Kit 8.8

Discovery Timeline

June 29, 2021 - CVE-2021-33503 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-33503

Vulnerability Analysis

This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The flaw exists in the URL parsing logic within urllib3's url.py module. The authority component of a URL (the part between :// and the path) is parsed using a regular expression pattern that attempts to identify userinfo, host, and port segments. When a URL contains many @ characters, the regex engine experiences exponential time complexity due to catastrophic backtracking, consuming excessive CPU resources.

The vulnerability is particularly dangerous because urllib3 is one of the most widely used HTTP client libraries in the Python ecosystem and is a dependency for many popular packages including requests. An attacker can exploit this by either directly providing a malicious URL to an application or by controlling a server that issues HTTP redirects to crafted URLs.

Root Cause

The root cause lies in the SUBAUTHORITY_PAT regular expression pattern used to parse the authority component of URLs. The original pattern ^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$ uses a greedy (.*) capture group to match the userinfo portion before the @ symbol. When multiple @ characters are present, the regex engine backtracks exponentially trying different combinations of where to split the userinfo from the host portion.

Attack Vector

The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can exploit this vulnerability by:

Sending a crafted URL directly to an application that processes URLs using urllib3
Hosting a malicious server that redirects requests to a URL containing many @ characters
Injecting malicious URLs into any input field that gets processed by urllib3

The following patch was applied to fix the vulnerability by restructuring how the authority component is parsed:

python

 BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
 ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
 
-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
     REG_NAME_PAT,
     IPV4_PAT,
     IPV6_ADDRZ_PAT,
 )
-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
+_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
 
 UNRESERVED_CHARS = set(
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"

Source: GitHub Commit

The fix eliminates the problematic greedy userinfo capture group by splitting the authority parsing into separate operations, first handling the @ delimiter through string operations rather than regex, then applying the regex only to the host:port portion.

Detection Methods for CVE-2021-33503

Indicators of Compromise

Unusual CPU spikes on application servers processing HTTP requests
Application timeouts or hangs when processing URL-related operations
Log entries showing URLs with excessive @ characters in the authority component
Slow response times from services that rely on urllib3 for HTTP operations

Detection Strategies

Monitor application performance metrics for unexpected CPU usage patterns during URL processing
Implement input validation to detect and reject URLs with abnormal numbers of @ characters before they reach urllib3
Use dependency scanning tools to identify urllib3 versions prior to 1.26.5 in your environment
Deploy application-level monitoring to detect regex processing timeouts

Monitoring Recommendations

Set up alerts for process CPU utilization exceeding normal thresholds on systems running Python applications
Monitor Python application logs for timeout exceptions related to HTTP client operations
Implement network monitoring to detect potential redirect chains pointing to malicious URLs
Use SIEM rules to correlate multiple denial of service indicators across application infrastructure

How to Mitigate CVE-2021-33503

Immediate Actions Required

Upgrade urllib3 to version 1.26.5 or later immediately across all Python environments
Audit all applications and dependencies that use urllib3 to ensure complete coverage
Review any URL processing logic for additional input validation opportunities
Consider implementing request timeouts as a defense-in-depth measure

Patch Information

The vulnerability is fixed in urllib3 version 1.26.5 and later. The patch modifies the URL parsing approach by removing the vulnerable regex pattern and implementing a more efficient string-based parsing strategy for the authority component. The fix is available through the GitHub commit. Additional vendor-specific patches are available from Oracle Security Alerts for affected Oracle products.

Workarounds

Implement URL validation at the application layer to reject URLs containing more than one @ character in the authority component
Use web application firewalls (WAF) to filter requests containing potentially malicious URL patterns
Configure request timeouts to limit the impact of potential ReDoS attacks on application availability
Consider implementing rate limiting on endpoints that process user-supplied URLs

bash

# Upgrade urllib3 to patched version
pip install --upgrade "urllib3>=1.26.5"

# Verify installed version
pip show urllib3 | grep Version

# For virtual environments, update requirements.txt
echo "urllib3>=1.26.5" >> requirements.txt
pip install -r requirements.txt

CVE-2021-33503 Overview

Critical Impact
Applications using vulnerable versions of urllib3 can be rendered unresponsive through crafted URLs containing multiple @ characters, leading to CPU exhaustion and denial of service conditions.

Affected Products

Python urllib3 (versions before 1.26.5)
Fedora Project Fedora 33 and 34
Oracle Enterprise Manager Ops Center 12.4.0.0
Oracle Instantis EnterpriseTrack 17.1, 17.2, and 17.3
Oracle ZFS Storage Appliance Kit 8.8

Discovery Timeline

June 29, 2021 - CVE-2021-33503 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-33503

Vulnerability Analysis

Root Cause

Attack Vector

The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker can exploit this vulnerability by:

Sending a crafted URL directly to an application that processes URLs using urllib3
Hosting a malicious server that redirects requests to a URL containing many @ characters
Injecting malicious URLs into any input field that gets processed by urllib3

The following patch was applied to fix the vulnerability by restructuring how the authority component is parsed:

python

 BRACELESS_IPV6_ADDRZ_RE = re.compile("^" + IPV6_ADDRZ_PAT[2:-2] + "$")
 ZONE_ID_RE = re.compile("(" + ZONE_ID_PAT + r")\]$")
 
-SUBAUTHORITY_PAT = (u"^(?:(.*)@)?(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
+_HOST_PORT_PAT = ("^(%s|%s|%s)(?::([0-9]{0,5}))?$") % (
     REG_NAME_PAT,
     IPV4_PAT,
     IPV6_ADDRZ_PAT,
 )
-SUBAUTHORITY_RE = re.compile(SUBAUTHORITY_PAT, re.UNICODE | re.DOTALL)
+_HOST_PORT_RE = re.compile(_HOST_PORT_PAT, re.UNICODE | re.DOTALL)
 
 UNRESERVED_CHARS = set(
     "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789._-~"

Source: GitHub Commit

Detection Methods for CVE-2021-33503

Indicators of Compromise

Unusual CPU spikes on application servers processing HTTP requests
Application timeouts or hangs when processing URL-related operations
Log entries showing URLs with excessive @ characters in the authority component
Slow response times from services that rely on urllib3 for HTTP operations

Detection Strategies

Monitor application performance metrics for unexpected CPU usage patterns during URL processing
Implement input validation to detect and reject URLs with abnormal numbers of @ characters before they reach urllib3
Use dependency scanning tools to identify urllib3 versions prior to 1.26.5 in your environment
Deploy application-level monitoring to detect regex processing timeouts

Monitoring Recommendations

Set up alerts for process CPU utilization exceeding normal thresholds on systems running Python applications
Monitor Python application logs for timeout exceptions related to HTTP client operations
Implement network monitoring to detect potential redirect chains pointing to malicious URLs
Use SIEM rules to correlate multiple denial of service indicators across application infrastructure

How to Mitigate CVE-2021-33503

Immediate Actions Required

Upgrade urllib3 to version 1.26.5 or later immediately across all Python environments
Audit all applications and dependencies that use urllib3 to ensure complete coverage
Review any URL processing logic for additional input validation opportunities
Consider implementing request timeouts as a defense-in-depth measure

Patch Information

Workarounds

Implement URL validation at the application layer to reject URLs containing more than one @ character in the authority component
Use web application firewalls (WAF) to filter requests containing potentially malicious URL patterns
Configure request timeouts to limit the impact of potential ReDoS attacks on application availability
Consider implementing rate limiting on endpoints that process user-supplied URLs

bash

# Upgrade urllib3 to patched version
pip install --upgrade "urllib3>=1.26.5"

# Verify installed version
pip show urllib3 | grep Version

# For virtual environments, update requirements.txt
echo "urllib3>=1.26.5" >> requirements.txt
pip install -r requirements.txt

CVE-2021-33503: Python Urllib3 DOS Vulnerability

CVE-2021-33503 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-33503

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-33503

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-33503

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2021-33503: Python Urllib3 DOS Vulnerability

CVE-2021-33503 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2021-33503

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2021-33503

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2021-33503

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform