Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-jr27-m4p2-rc6r

Опубликовано: 17 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 7.5

Описание

Denial of Service in pyasn1 via Unbounded Recursion

Summary

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.

Details

The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations:

  1. indefLenValueDecoder (Line 998): for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options): This method handles indefinite-length constructed types. It sits inside a while True loop and recursively calls the decoder for every nested tag.

  2. valueDecoder (Lines 786 and 907): for component in decodeFun(substrate, componentType, **options): This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of SEQUENCE or SET types. Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types.

  3. _decodeComponentsSchemaless (Line 661): for component in decodeFun(substrate, **options): This method handles decoding when no schema is provided.

In all three cases, decodeFun is invoked without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit.

PoC

import sys from pyasn1.codec.ber import decoder sys.setrecursionlimit(100000) print("[*] Generating Recursion Bomb Payload...") depth = 50_000 chunk = b'\x30\x80' payload = chunk * depth print(f"[*] Payload size: {len(payload) / 1024:.2f} KB") print("[*] Triggering Decoder...") try: decoder.decode(payload) except RecursionError: print("[!] Crashed: Recursion Limit Hit") except MemoryError: print("[!] Crashed: Out of Memory") except Exception as e: print(f"[!] Crashed: {e}")
[*] Payload size: 9.77 KB [*] Triggering Decoder... [!] Crashed: Recursion Limit Hit

Impact

  • This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
  • Service Crash: Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
  • Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.

Credits

Vulnerability discovered by Kevin Tu of TMIR at ByteDance.

Ссылки

Пакеты

Наименование

pyasn1

pip
Затронутые версииВерсия исправления

<= 0.6.2

0.6.3

EPSS

Процентиль: 15%
0.00049
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-30922

Дефекты

CWE-674

Связанные уязвимости

ubuntu логотип

CVE-2026-30922

CVSS3: 7.5
ubuntu
9 дней назад

(pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pya ...)

redhat логотип

CVE-2026-30922

CVSS3: 7.5
redhat
9 дней назад

An unbounded recursion flaw has been discovered in the pypi pyasn1 library. This uncontrolled recursion occurs when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.

nvd логотип

CVE-2026-30922

CVSS3: 7.5
nvd
9 дней назад

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing thousands of nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with "Indefinite Length" (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (`MAX_OID_ARC_CONTINUATION_OCTETS`) does not mitigate this recursion issue. Version 0.6.3 fixes this specific issue.

msrc логотип

CVE-2026-30922

msrc
6 дней назад

pyasn1 Vulnerable to Denial of Service via Unbounded Recursion

debian логотип

CVE-2026-30922

CVSS3: 7.5
debian
9 дней назад

pyasn1 is a generic ASN.1 library for Python. Prior to 0.6.3, the `pya ...

EPSS

Процентиль: 15%
0.00049
Низкий

7.5 High

CVSS3

CVE ID

CVE-2026-30922

Дефекты

CWE-674