Regular Expression Denial of Service in http.cookiejar

The regex http.cookiejar.LOOSE_HTTP_DATE_RE is vulnerable to regular expression denial of service (“REDoS”). LOOSE_HTTP_DATE_RE.match() is called when using http.cookiejar.CookieJar to parse Set-Cookie headers returned by a HTTP server. Processing a response from a malicious HTTP server can lead to extreme CPU usage and execution will be blocked for a long time.

  • Disclosure date: 2019-11-14 (Python issue bpo-38804 reported)

Fixed In

Vulnerable Versions

  • Python 2.7 (need release)
  • Python 3.5 (need commit)

Python issue

Regular Expression Denial of Service in http.cookiejar.

  • Python issue: bpo-38804
  • Creation date: 2019-11-14
  • Reporter: Ben Caller

Timeline

Timeline using the disclosure date 2019-11-14 as reference: