Skip to main content

Urllib3 CVE-2021-33503

HIGH
Uncontrolled Resource Consumption (CWE-400)
2021-06-29 cve@mitre.org
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jun 29, 2021 - 11:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 pypi packages depend on urllib3 (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.25.4.

DescriptionNVD

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

AnalysisAI

An issue was discovered in urllib3 before 1.26.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. Affected products include: Python Urllib3, Fedoraproject Fedora, Oracle Enterprise Manager Ops Center, Oracle Instantis Enterprisetrack, Oracle Zfs Storage Appliance Kit. Version information: before 1.26.5..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

CVE-2024-37891 MEDIUM POC
6.5 Jun 17

urllib3 is a user-friendly HTTP client library for Python. Rated medium severity (CVSS 6.5), this vulnerability is remot

CVE-2019-11236 MEDIUM POC
6.1 Apr 15

In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parame

CVE-2018-20060 CRITICAL
9.8 Dec 11

urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e.,

CVE-2025-50181 MEDIUM POC
5.3 Jun 19

urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all r

CVE-2026-21441 HIGH
8.9 Jan 07

Uncontrolled resource consumption in the Python urllib3 HTTP client library (versions 1.22 through 2.6.2) lets a malicio

CVE-2023-43804 HIGH
8.1 Oct 04

urllib3 is a user-friendly HTTP client library for Python. Rated high severity (CVSS 8.1), this vulnerability is remotel

CVE-2025-66418 HIGH
7.5 Dec 05

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of li

CVE-2025-66471 HIGH
7.5 Dec 05

A security vulnerability in version 1.0 and (CVSS 7.5). High severity vulnerability requiring prompt remediation. Vendor

CVE-2020-7212 HIGH
7.5 Mar 06

The _encode_invalid_chars function in util/url.py in the urllib3 library 1.25.2 through 1.25.7 for Python allows a denia

CVE-2019-11324 HIGH
7.5 Apr 18

The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is differ

CVE-2021-28363 MEDIUM
6.5 Mar 15

The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HT

CVE-2020-26137 MEDIUM
6.5 Sep 30

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserti

Share

CVE-2021-33503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy