CVE-2021-3737: urllib HTTP client possible infinite loop on a 100 Continue response


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

If a client request a HTTP/HTTPS/FTP service which is controlled by attacker, attacker can make this client hang forever, even if the client has set a timeout argument.


  • Disclosure date: 2021-05-03 (Python issue bpo-44022 reported)

Fixed In

Python issue

CVE-2021-3737: urllib http client possible infinite loop on a 100 Continue response.

  • Python issue: bpo-44022
  • Creation date: 2021-05-03
  • Reporter: guangli dong


A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.


Timeline using the disclosure date 2021-05-03 as reference: