CWE-835
AllowedLoop with Unreachable Exit Condition ('Infinite Loop')
Abstraction: Base · Status: Incomplete
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
1052 vulnerabilities reference this CWE, most recent first.
GHSA-HM5V-WWXQ-27X8
Vulnerability from github – Published: 2026-07-01 12:31 – Updated: 2026-07-01 12:31A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-14258"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-01T11:16:25Z",
"severity": "MODERATE"
},
"details": "A flaw was found in dhcpcd\u0027s IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.",
"id": "GHSA-hm5v-wwxq-27x8",
"modified": "2026-07-01T12:31:35Z",
"published": "2026-07-01T12:31:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14258"
},
{
"type": "WEB",
"url": "https://github.com/NetworkConfiguration/dhcpcd/issues/415"
},
{
"type": "WEB",
"url": "https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-14258"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2462305"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM76-PCX8-WGRM
Vulnerability from github – Published: 2022-05-13 01:49 – Updated: 2022-05-13 01:49In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp allows remote attackers to cause a denial of service (infinite loop) via a crafted MP4 file.
{
"affected": [],
"aliases": [
"CVE-2018-14445"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-07-20T13:29:00Z",
"severity": "MODERATE"
},
"details": "In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp allows remote attackers to cause a denial of service (infinite loop) via a crafted MP4 file.",
"id": "GHSA-hm76-pcx8-wgrm",
"modified": "2022-05-13T01:49:56Z",
"published": "2022-05-13T01:49:56Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-14445"
},
{
"type": "WEB",
"url": "https://github.com/axiomatic-systems/Bento4/issues/289"
},
{
"type": "WEB",
"url": "http://hac425.unaux.com/index.php/archives/62"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HM7P-R324-HHF3
Vulnerability from github – Published: 2023-03-03 06:30 – Updated: 2025-03-06 21:36Math/PrimeField.php in phpseclib has an infinite loop with composite primefields. This vulnerability was introduced in version 3.0.0, and has been patched in 3.0.19. The CVE for this issue originally identified the the vulnerable version as 2.x, however, the vulnerable functionality was not introduced until version 3.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "phpseclib/phpseclib"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.0.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-27560"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-03T23:01:05Z",
"nvd_published_at": "2023-03-03T06:15:00Z",
"severity": "HIGH"
},
"details": "Math/PrimeField.php in phpseclib has an infinite loop with composite primefields. This vulnerability was introduced in version 3.0.0, and has been patched in 3.0.19. The CVE for this issue originally identified the the vulnerable version as 2.x, however, the vulnerable functionality was not introduced until version 3.",
"id": "GHSA-hm7p-r324-hhf3",
"modified": "2025-03-06T21:36:12Z",
"published": "2023-03-03T06:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27560"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/commit/6298d1cd55c3ffa44533bd41906caec246b60440"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/commit/6298d1cd55c3ffa44533bd41906caec246b60440#commitcomment-103226722"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/phpseclib/phpseclib/CVE-2023-27560.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/phpseclib/phpseclib"
},
{
"type": "WEB",
"url": "https://github.com/phpseclib/phpseclib/releases/tag/3.0.19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "phpseclib Infinite Loop vulnerability"
}
GHSA-HM9V-VJ3R-R55M
Vulnerability from github – Published: 2023-06-30 22:19 – Updated: 2023-06-30 22:19Impact
An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF.
Patches
The issue was fixed with https://github.com/py-pdf/pypdf/pull/1331
Workarounds
If you cannot update your version of PyPDF2 (preferably to pypdf>3.1.0 as PyPDF2 is deprecated), you should modify PyPDF2/generic/_data_structures.py::read_object.
Replace:
else:
# number object OR indirect reference
peek = stream.read(20)
stream.seek(-len(peek), 1) # reset to start
if IndirectPattern.match(peek) is not None:
return IndirectObject.read_from_stream(stream, pdf)
else:
return NumberObject.read_from_stream(stream)
by
elif tok in b"0123456789+-.":
# number object OR indirect reference
peek = stream.read(20)
stream.seek(-len(peek), 1) # reset to start
if IndirectPattern.match(peek) is not None:
return IndirectObject.read_from_stream(stream, pdf)
else:
return NumberObject.read_from_stream(stream)
else:
raise PdfReadError(
f"Invalid Elementary Object starting with {tok} @{stream.tell()}"
)
References
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "PyPDF2"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.5"
},
{
"fixed": "2.10.6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.10.5"
]
}
],
"aliases": [
"CVE-2023-36807"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-30T22:19:39Z",
"nvd_published_at": "2023-06-30T19:15:09Z",
"severity": "MODERATE"
},
"details": "### Impact\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop.\nThis infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case if the user extracted metadata from such a malformed PDF.\n\n### Patches\nThe issue was fixed with https://github.com/py-pdf/pypdf/pull/1331\n\n### Workarounds\nIf you cannot update your version of `PyPDF2` (preferably to `pypdf\u003e3.1.0` as PyPDF2 is deprecated), you should modify `PyPDF2/generic/_data_structures.py::read_object`.\n\nReplace:\n\n```python\n else:\n # number object OR indirect reference\n peek = stream.read(20)\n stream.seek(-len(peek), 1) # reset to start\n if IndirectPattern.match(peek) is not None:\n return IndirectObject.read_from_stream(stream, pdf)\n else:\n return NumberObject.read_from_stream(stream)\n```\n\nby\n\n```python\n elif tok in b\"0123456789+-.\":\n # number object OR indirect reference\n peek = stream.read(20)\n stream.seek(-len(peek), 1) # reset to start\n if IndirectPattern.match(peek) is not None:\n return IndirectObject.read_from_stream(stream, pdf)\n else:\n return NumberObject.read_from_stream(stream)\n else:\n raise PdfReadError(\n f\"Invalid Elementary Object starting with {tok} @{stream.tell()}\"\n )\n```\n\n### References\n* [pypdf issue #1329](https://github.com/py-pdf/pypdf/issues/1329)\n* [pypdf PR #1331](https://github.com/py-pdf/pypdf/pull/1331)",
"id": "GHSA-hm9v-vj3r-r55m",
"modified": "2023-06-30T22:19:39Z",
"published": "2023-06-30T22:19:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-hm9v-vj3r-r55m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36807"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/issues/1329"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/pull/1331"
},
{
"type": "WEB",
"url": "https://github.com/py-pdf/pypdf/commit/e6531a25325e7e0174b6a1ba03b57320b5227f6b"
},
{
"type": "PACKAGE",
"url": "https://github.com/py-pdf/pypdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PyPDF2 vulnerable to possible Infinite Loop when reading malformed objects"
}
GHSA-HP28-XQ6X-W6CH
Vulnerability from github – Published: 2022-05-13 01:46 – Updated: 2025-04-20 03:33The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file.
{
"affected": [],
"aliases": [
"CVE-2017-5852"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-03-01T15:59:00Z",
"severity": "MODERATE"
},
"details": "The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVariant.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted file.",
"id": "GHSA-hp28-xq6x-w6ch",
"modified": "2025-04-20T03:33:28Z",
"published": "2022-05-13T01:46:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5852"
},
{
"type": "WEB",
"url": "https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/02/01/12"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2017/02/02/10"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/97032"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HP7J-WVG8-RGV3
Vulnerability from github – Published: 2024-06-13 21:30 – Updated: 2024-06-13 21:30Deep Sea Electronics DSE855 Multipart Boundary Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of multipart boundaries. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-23171.
{
"affected": [],
"aliases": [
"CVE-2024-5949"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T20:15:16Z",
"severity": "MODERATE"
},
"details": "Deep Sea Electronics DSE855 Multipart Boundary Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of multipart boundaries. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-23171.",
"id": "GHSA-hp7j-wvg8-rgv3",
"modified": "2024-06-13T21:30:54Z",
"published": "2024-06-13T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5949"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-673"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HPM9-74QX-6X32
Vulnerability from github – Published: 2026-04-21 21:31 – Updated: 2026-06-30 03:36Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
{
"affected": [],
"aliases": [
"CVE-2026-34282"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-21T21:16:32Z",
"severity": "HIGH"
},
"details": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).",
"id": "GHSA-hpm9-74qx-6x32",
"modified": "2026-06-30T03:36:21Z",
"published": "2026-04-21T21:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34282"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34282.json"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460044"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-34282"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9694"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9693"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9691"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9689"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9688"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9687"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9686"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9256"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:9254"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:22328"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11902"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11829"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11822"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11655"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:11403"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HQCM-3JF7-M4CG
Vulnerability from github – Published: 2022-05-13 01:30 – Updated: 2022-05-13 01:30sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an infinite loop.
{
"affected": [],
"aliases": [
"CVE-2018-11365"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-05-22T04:29:00Z",
"severity": "HIGH"
},
"details": "sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an infinite loop.",
"id": "GHSA-hqcm-3jf7-m4cg",
"modified": "2022-05-13T01:30:25Z",
"published": "2022-05-13T01:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11365"
},
{
"type": "WEB",
"url": "https://github.com/ChijinZ/security_advisories/tree/master/ReadStat-7bced5b"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR45-W7F7-W9J6
Vulnerability from github – Published: 2026-05-08 18:31 – Updated: 2026-05-08 21:31lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like "\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service.
{
"affected": [],
"aliases": [
"CVE-2026-29975"
],
"database_specific": {
"cwe_ids": [
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-08T16:16:10Z",
"severity": "HIGH"
},
"details": "lwjson 1.8.1 contains an improper input validation vulnerability in the streaming JSON parser (lwjson_stream.c). The end-of-string detection logic incorrectly identifies escaped quote characters by only checking the immediately preceding character rather than counting consecutive backslashes, causing valid JSON strings ending with an escaped backslash (like \"\\\\\") to never terminate parsing. A remote attacker can send well-formed JSON to cause applications using lwjson_stream_parse() to hang indefinitely, resulting in denial of service.",
"id": "GHSA-hr45-w7f7-w9j6",
"modified": "2026-05-08T21:31:25Z",
"published": "2026-05-08T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29975"
},
{
"type": "WEB",
"url": "https://gist.github.com/dwilliams27/b99fd41be5d6848691797042cbfc1103"
},
{
"type": "WEB",
"url": "https://github.com/MaJerle/lwjson/blob/develop/lwjson/src/lwjson/lwjson_stream.c#L362-L364"
},
{
"type": "WEB",
"url": "https://github.com/MaJerle/lwjson/tree/develop"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HR7V-M862-8HH8
Vulnerability from github – Published: 2022-05-24 22:01 – Updated: 2025-11-04 00:30A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.
{
"affected": [],
"aliases": [
"CVE-2021-3737"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-835"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-03-04T19:15:00Z",
"severity": "LOW"
},
"details": "A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.",
"id": "GHSA-hr7v-m862-8hh8",
"modified": "2025-11-04T00:30:31Z",
"published": "2022-05-24T22:01:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3737"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/25916"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/pull/26503"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/commit/ea9327036680acc92d9f89eaf6f6a54d2f8d78d9"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue44022"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1995162"
},
{
"type": "PACKAGE",
"url": "https://github.com/python/cpython"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00024.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
},
{
"type": "WEB",
"url": "https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20220407-0009"
},
{
"type": "WEB",
"url": "https://ubuntu.com/security/CVE-2021-3737"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.