Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (1)
| Vulnerability |
Summary |
Aliases |
|
VCID-kth3-bvbt-gbgk
|
Denial of Service in pyasn1 via Unbounded Recursion
### Summary
The `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application.
### Details
The vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.
Vulnerable Code Locations:
1. `indefLenValueDecoder` (Line 998):
```for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):```
This method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag.
2. `valueDecoder` (Lines 786 and 907):
```for component in decodeFun(substrate, componentType, **options):```
This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types.
4. `_decodeComponentsSchemaless` (Line 661):
```for component in decodeFun(substrate, **options):```
This method handles decoding when no schema is provided.
In all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit.
### PoC
```
import sys
from pyasn1.codec.ber import decoder
sys.setrecursionlimit(100000)
print("[*] Generating Recursion Bomb Payload...")
depth = 50_000
chunk = b'\x30\x80'
payload = chunk * depth
print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering Decoder...")
try:
decoder.decode(payload)
except RecursionError:
print("[!] Crashed: Recursion Limit Hit")
except MemoryError:
print("[!] Crashed: Out of Memory")
except Exception as e:
print(f"[!] Crashed: {e}")
```
```
[*] Payload size: 9.77 KB
[*] Triggering Decoder...
[!] Crashed: Recursion Limit Hit
```
### Impact
- This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
- Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
- Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.
### Credits
Vulnerability discovered by Kevin Tu of TMIR at ByteDance.
|
CVE-2026-30922
GHSA-jr27-m4p2-rc6r
|