DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MXWC-WH95-PW4G: GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

Vulnerability ID: GHSA-MXWC-WH95-PW4G
CVSS Score: 5.3
Published: 2026-07-08

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

TL;DR

Unauthenticated malformed DNS compression pointers trigger uncontrolled recursion in the packet decoder, crashing the per-packet handler.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-674
  • Attack Vector: Network (UDP)
  • CVSS v3.1: 5.3 (Medium)
  • Exploit Status: Proof-of-Concept Available
  • Impact: Denial of Service (DoS)

Affected Systems

  • trapster honeypot daemon
  • trapster: <= 1.2.0

Mitigation Strategies

  • Refactor DNS label parsing from a recursive model to an iterative model with decreasing offset tracking.
  • Introduce exception handling in the network protocol entry point to prevent parser exceptions from crashing the asyncio event loop.

Remediation Steps:

  1. Locate the decode_labels function in trapster/libs/dns.py.
  2. Replace the recursive logic with a loop that tracks the maximum allowable pointer offset to prevent circular lookups.
  3. Update trapster/modules/dns.py to wrap decode_dns_message in a try-except block capturing ValueError and struct.error.

References


Read the full report for GHSA-MXWC-WH95-PW4G on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)