CVE-2022-45061 Overview
CVE-2022-45061 is a denial of service vulnerability discovered in Python's IDNA (Internationalized Domain Names in Applications) decoder implementation as defined in RFC 3490. The vulnerability stems from an unnecessary quadratic algorithm that processes certain inputs, allowing an attacker to craft unreasonably long hostnames that cause excessive CPU consumption when processed by the decoder.
This vulnerability is particularly concerning because hostnames are frequently supplied by remote servers that could be controlled by malicious actors. In practical attack scenarios, an attacker could trigger excessive CPU consumption on client systems attempting to process attacker-supplied hostnames. For example, the malicious payload could be delivered via the Location header in an HTTP 302 redirect response, causing the victim's system to exhaust CPU resources while processing the crafted hostname.
Critical Impact
Remote attackers can cause CPU denial of service by supplying crafted hostnames through various vectors including HTTP redirect headers, potentially affecting any Python application that processes external URLs or domain names.
Affected Products
- Python versions before 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16
- Fedora 35, 36, and 37
- NetApp Active IQ Unified Manager (VMware vSphere and Windows)
- NetApp E-Series Performance Analyzer
- NetApp Element Software
- NetApp HCI and HCI Compute Node
- NetApp Management Services for Element Software
- NetApp ONTAP Select Deploy Administration Utility
- NetApp Bootstrap OS
Discovery Timeline
- November 9, 2022 - CVE-2022-45061 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2022-45061
Vulnerability Analysis
The vulnerability exists within Python's IDNA decoder, which is responsible for converting internationalized domain names to their ASCII-compatible encoding (Punycode). The IDNA standard (RFC 3490) allows domain names to contain Unicode characters, which must be processed and converted for DNS lookups.
The core issue is an algorithmic complexity flaw (CWE-407) where certain code paths in the IDNA decoder exhibit quadratic time complexity O(n²) instead of the expected linear complexity O(n). When processing a carefully crafted hostname with specific character sequences, the decoder enters a computationally expensive processing loop that scales poorly with input length.
An attacker can exploit this by presenting an extremely long, specially crafted hostname to any Python application that processes external domain names. The quadratic nature of the algorithm means that doubling the input length quadruples the processing time, allowing relatively small payloads to consume significant CPU resources.
Root Cause
The root cause is an inefficient algorithm in the IDNA decoder's processing path. When handling certain input patterns, the decoder performs redundant operations that scale quadratically with the input length. This algorithmic inefficiency allows crafted inputs to consume disproportionate CPU resources relative to their size.
The issue specifically affects the hostname decoding functionality, which is invoked whenever Python applications process URLs, make HTTP requests, or handle any network operations involving domain names. The fix involves optimizing the algorithm to eliminate the quadratic complexity in the affected code path.
Attack Vector
The attack can be executed remotely over the network without any authentication or user interaction required. Common attack vectors include:
HTTP Redirect Exploitation: An attacker controlling a web server can respond to requests with a 302 redirect containing a malicious hostname in the Location header. When the client follows the redirect, Python's URL processing code invokes the vulnerable IDNA decoder.
DNS Response Manipulation: In scenarios where attackers can influence DNS responses or provide hostnames through other network protocols, the malicious payload can be delivered to trigger the vulnerability.
User-Supplied URLs: Applications that accept and process URLs from untrusted sources (web scrapers, API clients, link validators) are particularly susceptible as users can directly supply crafted hostnames.
The attack requires no special privileges and can be launched against any Python application that processes external hostnames, making it a significant availability concern for networked Python applications.
Detection Methods for CVE-2022-45061
Indicators of Compromise
- Abnormally high CPU utilization by Python processes without corresponding increase in legitimate workload
- HTTP clients hanging or timing out when processing redirect responses
- Network connections to suspicious domains with unusually long or malformed hostnames
- System logs showing Python processes consuming excessive CPU during URL or hostname processing operations
Detection Strategies
- Monitor Python process CPU usage patterns and alert on sustained high utilization that exceeds baseline thresholds
- Implement network traffic analysis to detect HTTP responses with abnormally long Location headers or unusual hostname patterns
- Deploy application-level logging to capture and analyze hostnames being processed, flagging those exceeding reasonable length thresholds
- Utilize endpoint detection solutions to identify Python processes exhibiting algorithmic complexity attack patterns
Monitoring Recommendations
- Configure resource monitoring to track CPU utilization per Python process with alerting on anomalies
- Implement request logging at application boundaries to capture incoming URLs and hostnames for retrospective analysis
- Deploy network monitoring to identify potential attack vectors such as malicious redirects from external servers
- Establish baseline metrics for normal Python application CPU consumption to enable accurate anomaly detection
How to Mitigate CVE-2022-45061
Immediate Actions Required
- Update Python to patched versions: 3.11.1, 3.10.9, 3.9.16, 3.8.16, or 3.7.16 or later
- Audit Python applications for external URL/hostname processing and implement input validation
- Consider implementing request timeouts and CPU resource limits for Python processes handling external data
- Review HTTP client configurations to limit redirect depth and implement hostname validation
Patch Information
Python has released security patches addressing this vulnerability in the following versions:
| Branch | Fixed Version |
|---|---|
| 3.11.x | 3.11.1 |
| 3.10.x | 3.10.9 |
| 3.9.x | 3.9.16 |
| 3.8.x | 3.8.16 |
| 3.7.x | 3.7.16 |
Organizations should update to the latest available version within their supported Python branch. For detailed information, refer to the CPython GitHub Issue Discussion.
Distribution-specific patches are available from Fedora, Debian LTS, and Gentoo.
Workarounds
- Implement hostname length validation before passing untrusted hostnames to Python's URL processing functions
- Configure HTTP client libraries to limit redirect following and implement timeout mechanisms
- Use application firewalls or proxies to filter requests/responses containing abnormally long hostnames
- Deploy resource limits (cgroups, ulimit) on Python processes to bound CPU consumption
# Example: Limit CPU time for Python processes using ulimit
# Add to shell configuration or systemd service file
ulimit -t 60 # Limit CPU time to 60 seconds
# Example: Use timeout command for Python scripts processing external data
timeout --signal=KILL 30s python your_script.py
# Example: systemd service CPU limiting
# Add to [Service] section of unit file
CPUQuota=50%
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
