CVE-2022-31799 - Deep Dive Into Bottle Web Framework Error Handling Vulnerability Pre-.12.20

In May 2022, CVE-2022-31799 was assigned to a security vulnerability found in the popular Python micro web framework Bottle. This bug affects all versions before .12.20 and opens the door for dangerous application impacts due to how Bottle handles errors during the initial request phase, also known as *early request binding*. In this article, we'll break down the vulnerability, review some code snippets, see how exploits could work, and learn how you can defend your apps.

What Is Bottle and Early Request Binding?

Bottle is a lightweight Python micro web-framework used for rapid web app prototyping. If you’ve built and run REST APIs with Python but wanted something smaller than Flask or Django, chances are you’ve used Bottle.

Early request binding happens when the framework first reads, parses, and binds HTTP request information—like path variables and headers—to app handler functions. This is done before the handler’s actual business logic runs.

The Vulnerability Explained

Prior to version .12.20, Bottle did not properly handle errors thrown during early request binding. If any code (including application code and plugin hooks) raised an uncaught error during this phase, Bottle would expose internal error details directly to the HTTP response. This includes stack traces, debug information, and sometimes even code or config snippets.

Why Is This Bad?

- Internal Information Leak: Attackers can learn about your application’s internal structure, Python code, dependency versions, and environment.

Quick Technical Look: The Problem Code

This vulnerability centers on the Bottle._handle method in older versions. Here’s a stripped-down, simplified version of vulnerable logic (for educational purposes):

def _handle(self, environ):
    try:
        # ... request and route binding ...
        # Any exception here breaks out
        route, args = self.router.match(environ)
    except Exception as e:
        # Here's the problem!
        return HTTPError(500, "Internal Server Error", exception=e)
    # ... handler function execution ...

In affected versions, the code just catches *any* error and turns it into an HTTP 500 error. But unless you set Bottle to production mode and tweak error handling defaults just right, the actual error details (including stack trace) get included in the server's response. This is a kind of Information Disclosure.

1. Trigger an Error in Early Binding

By sending a request that forces Bottle to process invalid input for routing or plugins, you can force an exception early, before your handler code runs.

Example Route

@app.route('/user/<user_id:int>')
def user_profile(user_id):
    return f"User ID: {user_id}"

Malicious Request

If you visit:  

GET /user/notanumber

you’ll trigger an error, since notanumber cannot be converted to int. In affected Bottle versions, this triggers a stack trace in the HTTP response!

2. Error Leak Example Output (From Bottle <.12.20):

Traceback (most recent call last):
  File "bottle.py", line 862, in _handle
    route, args = self.router.match(environ)
  File "bottle.py", line 798, in match
    # ...more lines...
ValueError: invalid literal for int() with base 10: 'notanumber'

Attackers can see file names, code lines, and sometimes even sensitive environment info.

Official References and Fix

- CVE-2022-31799 on NVD
- Bottle Release .12.20 Changelog
- Bottle Issue #1473
- Python Security Advisory

How Is It Fixed?

Bottle .12.20 and above rework error handling so that all exceptions during early binding are safely wrapped and hidden from users unless the app is intentionally in debug mode. The fix ensures all error messages sent to clients are generic unless you opt in to dangerous debug outputs.

Upgrade Now!

pip install --upgrade bottle

Upgrade immediately to Bottle >= .12.20.

- Be cautious with framework error messages—avoid exposing tracebacks or sensitive configuration to end users.
- Harden your web server with generic error handlers at the WSGI/app server layer (using Gunicorn, uWSGI, Nginx, etc.).

Final Thoughts

CVE-2022-31799 shows us the dangers of even small web framework bugs—tiny oversights can lead to big leaks or serve as reconnaissance for attackers. Maintaining updated dependencies and safe error handling practices are essential for every developer.

If you use Bottle, patch to the latest version now. Check all your routes and plugins for error handling, and double-check your production configs!

Further Reading

- OWASP - Information Exposure Through Error Messages
- Bottle Docs: Error Handling

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/22/2022 03:15:00 UTC