urllib3 vulnerable to Regular expression Denial-of-Service (ReDoS)


urllib3 contains a Regular expression Denial-of-Service (DoS) vulnerability.

urllib3, an HTTP client module for Python, contains a Regular expression Denial-of-Service (ReDoS) vulnerability (CWE-400, CVE-2021-33503) due to catastrophic backtracking while processing a malicious URL.

Nariyoshi Chida of NTT Secure Platform Laboratories reported this vulnerability to urllib3 community and coordinated. JPCERT/CC published this advisory in order to notify users of this vulnerability.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
Affected Products

Python Software Foundation
  • urllib3 versions prior to v1.26.5


A remote attacker may be able to cause a denial-of-service (DoS).

[Update the Software]
Apply the appropriate update according to the information provided by the developer.
Developer has released the fixed version v1.26.5.
Vendor Information

Python Software Foundation
CWE (What is CWE?)

  1. Uncontrolled Resource Consumption ('Resource Exhaustion')(CWE-400) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-33503

  1. JVN : JVNVU#92413403
Revision History

  • [2021/06/08]
      Web page was published