CVE-2021-32837

mechanize vulnerable to ReDoS

CVSS 7.5 HIGHEPSS 26.7%CWE-1333

In short

A vulnerable regular expression in the mechanize library can be exploited by a malicious web server to crash the application by sending specially crafted responses. This happens because the regex takes too long to process certain input patterns, causing a denial of service.

Technical detail

The mechanize library prior to version 0.4.6 contains a ReDoS (Regular Expression Denial of Service) vulnerability in its regex pattern (CWE-1333). An attacker can craft a malicious HTTP response that triggers catastrophic backtracking in the regex engine, causing the application to hang or crash. The attack vector requires no authentication and only requires the application to process a response from a network-accessible server.

Summary generated and translated by AI from the official description.

mechanize, a library for automatically interacting with HTTP web servers, contains a regular expression that is vulnerable to regular expression denial of service (ReDoS) prior to version 0.4.6. If a web server responds in a malicious way, then mechanize could crash. Version 0.4.6 has a patch for the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

python-mechanize · mechanize

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/python-mechanize/mechanize/blob/3acb1836f3fd8edc5a758a417dd46b53832ae3b5/mechanize/_urllib2_fork.py#L878-L879 https://github.com/python-mechanize/mechanize/commit/dd05334448e9f39814bab044d2eaa5ef69b410d6 https://github.com/python-mechanize/mechanize/releases/tag/v0.4.6 https://lists.debian.org/debian-lts-announce/2023/06/msg00022.html https://lists.debian.org/debian-lts-announce/2025/12/msg00028.html https://securitylab.github.com/advisories/GHSL-2021-108-python-mechanize-mechanize/