CVE-2021-3733: ReDoS in urllib.request


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The regular expression used by the AbstractBasicAuthHandler class of the urllib module is inefficient and can be abused by an attacker with a maliciuous HTTP server to cause a denial of service.


  • Disclosure date: 2021-01-30 (Python issue bpo-43075 reported)

Fixed In

Python issue

CVE-2021-3733: ReDoS in urllib.request.

  • Python issue: bpo-43075
  • Creation date: 2021-01-30
  • Reporter: yeting li


There’s a flaw in urllib’s AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.


Timeline using the disclosure date 2021-01-30 as reference: