urllib basic auth regex denial of service


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The AbstractBasicAuthHandler class of the urllib.request module uses an inefficient regular expression (catastrophic backtracking) which can be exploited by an attacker to cause a denial of service.

See also https://bugs.python.org/issue43075


  • Disclosure date: 2019-11-17 (Python issue bpo-38826 reported)
  • Reported at: 2019-11-17 (bpo-38826)
  • Reported by: Ben Caller and Matt Schwager

Fixed In

Python issue

Regular Expression Denial of Service in urllib.request.AbstractBasicAuthHandler.

  • Python issue: bpo-38826
  • Creation date: 2019-11-17
  • Reporter: Ben Caller


Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.


Timeline using the disclosure date 2019-11-17 as reference: