Hash DoS


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

Hash collision denial of service.

Python 2.7 and older and Python 3.2 and older require the -R command line option to enable the enable hash function randomization. Randomization is enabled by default since Python 3.3 (the -R option is ignored).

“Effective Denial of Service attacks against web application platforms” talk at the CCC: 2011-12-28

See also the PEP 456: Secure and interchangeable hash algorithm: Python 3.4 switched to SipHash.

  • Ruby: CRuby 1.9 fixed the vulnerability in 2008 with randomized hash function; JRuby has also been fixed.
  • Perl: Perl 5.8.1 fixed the vulnerability in 2003 using a random “PERL_HASH_SEED”.


  • Disclosure date: 2011-12-28 (CCC talk)
  • Reported by: Alexander “alech” Klink and Julian “zeri” Wälde

Fixed In

Python issue

Hash collision security issue.

  • Python issue: bpo-13703
  • Creation date: 2012-01-03
  • Reporter: Barry A. Warsaw


Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.


Timeline using the disclosure date 2011-12-28 as reference:

  • 2011-12-28: Disclosure date (CCC talk)
  • 2012-01-03 (+6 days): Python issue bpo-13703 reported by Barry A. Warsaw
  • 2012-02-20 (+54 days): commit 2daf6ae (branch 2.7)
  • 2012-02-21 (+55 days): commit 1e13eb0 (branch 2.6)
  • 2012-04-06 (+100 days): Python 3.1.5 released
  • 2012-04-09 (+103 days): Python 2.7.3 released
  • 2012-04-10 (+104 days): Python 2.6.8 released
  • 2012-04-10 (+104 days): Python 3.2.3 released
  • 2012-09-29: Python 3.3.0 released
  • 2012-10-05 (+282 days): CVE-2012-1150 published