CVE-2022-45061 - Python IDNA Decoder Denial of Service - Explained Simply

In this article, we break down CVE-2022-45061, a vulnerability affecting Python before version 3.11.1. We’ll see what happened, how it can be exploited, and what you should do about it.

What Is CVE-2022-45061?

The vulnerability involves the way Python processes hostname strings using the IDNA (Internationalized Domain Names in Applications) decoder, as outlined in RFC 349. There’s a specific code path in Python’s standard library that runs a quadratic time algorithm, meaning its CPU usage can skyrocket if it’s fed a carefully crafted, super-long string.

In simple terms:  
If someone gives Python a ridiculously long and tricky hostname to decode, it could take down the computer or service temporarily by making the CPU spin at full speed.

Why Is This a Problem?

Many applications use Python to handle URLs and domain names. Sometimes, these hostnames come from the outside world—like from an HTTP response. If the attacker controls this response, they could send back a payload inside a header, such as a maliciously crafted Location header in a HTTP 302 redirect. When your code tries to parse it, the server (or client) stalls using a lot of CPU.

How Does the Exploit Work?

Let’s get technical! The core issue is unnecessary quadratic processing in the hostname decoder. If a hostname input is structured just the right way, the decoder checks certain parts again and again in a nested fashion (O(n^2) time).

Example Exploit Workflow

1. Attacker crafts a long, malicious hostname (for instance, repeating certain Unicode characters or dots).

`

Location: http://aaaaaaaaaaaaaaaaa……aaaa.example.com

Here’s a minimal code snippet that demonstrates the vulnerability in Python <3.11.1

import encodings.idna

# Malicious hostname - super long, triggers worst-case quadratic
host = 'a' + ('.' + 'a'*63)*100 + '.com'

# This call will consume a lot of CPU time and may hang the process
try:
    out = encodings.idna.ToASCII(host)
    print(f"IDNA: {out}")
except Exception as e:
    print(f"Error: {e}")

This is not a remote code execution bug, but it *is* a way to cause denial-of-service by eating up server resources.

Let’s say your Python app is a web crawler

import requests

response = requests.get("http://example.com/";)
redirect_url = response.headers.get('Location')
# Will trigger IDNA decode automatically

An attacker running a fake web server, or able to inject headers, could make your crawler freeze or slow down by returning a redirect with the malicious hostname.

How Was It Fixed?

Python switched to a more efficient algorithm that avoids doing unnecessary repeated work. The patch can be seen here:

- CPython PR #99134

3.7.16

Reference:  
- GitHub Issue 99063
- Security Advisory
- Python bug tracker

Validate input: Don't blindly decode hostnames received from untrusted or third-party sources.

3. Consider using rate limiting or placing proxy filters to block suspiciously long URLs or hostnames.

Bottom Line

CVE-2022-45061 is a classic example of how inefficient code can open up your apps to denial-of-service attacks, even if no code execution is involved. Keeping dependencies up to date and treating all external input as hostile are fundamental best practices.

Timeline

Published on: 11/09/2022 07:15:00 UTC
Last modified on: 11/09/2022 21:17:00 UTC