DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-WCJX-V2WJ-XG87: GHSA-WCJX-V2WJ-XG87: Denial of Service via Uncontrolled Recursion in pyasn1

#security #cve #cybersecurity #ghsa

GHSA-WCJX-V2WJ-XG87: Denial of Service via Uncontrolled Recursion in pyasn1

Vulnerability ID: GHSA-WCJX-V2WJ-XG87
CVSS Score: 7.5
Published: 2026-03-26

The c2cciutils package relies on the pyasn1 library for processing Abstract Syntax Notation One (ASN.1) data structures. Prior to version 0.6.3, the pyasn1 library contained a critical uncontrolled recursion flaw in its Basic Encoding Rules (BER) decoder, allowing remote attackers to cause a Denial of Service (DoS) via crafted, deeply nested payloads.

TL;DR

A denial-of-service vulnerability exists in pyasn1 < 0.6.3 (used by c2cciutils) due to uncontrolled recursion during the parsing of nested ASN.1 structures. Attackers can trigger stack exhaustion or memory exhaustion using crafted payloads. Mitigation requires updating pyasn1 to version 0.6.3 or higher.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: CWE-674: Uncontrolled Recursion
  • Attack Vector: Network
  • CVSS v3.1 Score: 7.5 (High)
  • EPSS Score: 0.00049 (15.38th Percentile)
  • Impact: Denial of Service (Stack Exhaustion / OOM)
  • Exploit Status: Proof of Concept Available
  • CISA KEV Status: Not Listed

Affected Systems

  • pyasn1 library
  • c2cciutils (via transitive dependency)
  • c2cciutils: < 0.6.3 (pyasn1 dependency) (Fixed in: pyasn1 0.6.3)
  • pyasn1: < 0.6.3 (Fixed in: 0.6.3)

Mitigation Strategies

  • Update pyasn1 dependency to version 0.6.3 or higher.
  • Ensure c2cciutils resolves to a pyasn1 dependency >= 0.6.3.
  • Implement application-level exception handling for PyAsn1Error to prevent unhandled crashes.
  • Apply strict request body size limits at the ingress controller or WAF layer.

Remediation Steps:

  1. Identify all applications utilizing c2cciutils or pyasn1 in the software supply chain.
  2. Update the Pipfile, requirements.txt, or equivalent dependency lock file to mandate pyasn1 >= 0.6.3.
  3. Rebuild container images and deployment artifacts to include the patched library.
  4. Deploy the updated application and verify that malformed payloads return a handled error rather than a process crash.

References

Read the full report for GHSA-WCJX-V2WJ-XG87 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)