urllib basic auth regex denial of service

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression (catastrophic backtracking) which can be exploited by an attacker to cause a denial of service.

See also https://bugs.python.org/issue43075


  • Disclosure date: 2019-11-17 (Python issue bpo-38826 reported)
  • Reported at: 2019-11-17 (bpo-38826)
  • Reported by: Ben Caller and Matt Schwager

Fixed In

Python issue

Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler.

  • Python issue: bpo-38826
  • Creation date: 2019-11-17
  • Reporter: Ben Caller


Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.


Timeline using the disclosure date 2019-11-17 as reference: