Skip to content

chore(deps): update dependency pyasn1 to v0.6.3 [security]#124

Open
renovate-bot wants to merge 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/pypi-pyasn1-vulnerability
Open

chore(deps): update dependency pyasn1 to v0.6.3 [security]#124
renovate-bot wants to merge 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/pypi-pyasn1-vulnerability

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Mar 17, 2026

This PR contains the following updates:

Package Change Age Confidence
pyasn1 (changelog) ==0.4.8==0.6.3 age confidence

GitHub Vulnerability Alerts

CVE-2026-30922

Summary

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.

This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue.

Details

The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.
Vulnerable Code Locations:

  1. indefLenValueDecoder (Line 998):
    for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):
    This method handles indefinite-length constructed types. It sits inside a while True loop and recursively calls the decoder for every nested tag.

  2. valueDecoder (Lines 786 and 907):
    for component in decodeFun(substrate, componentType, **options):
    This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of SEQUENCE or SET types. Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types.

  3. _decodeComponentsSchemaless (Line 661):
    for component in decodeFun(substrate, **options):
    This method handles decoding when no schema is provided.

In all three cases, decodeFun is invoked without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit.

PoC

import sys
from pyasn1.codec.ber import decoder

sys.setrecursionlimit(100000)

print("[*] Generating Recursion Bomb Payload...")
depth = 50_000
chunk = b'\x30\x80' 
payload = chunk * depth

print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering Decoder...")

try:
    decoder.decode(payload)
except RecursionError:
    print("[!] Crashed: Recursion Limit Hit")
except MemoryError:
    print("[!] Crashed: Out of Memory")
except Exception as e:
    print(f"[!] Crashed: {e}")

[*] Payload size: 9.77 KB
[*] Triggering Decoder...
[!] Crashed: Recursion Limit Hit

Impact

  • This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
  • Service Crash: Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
  • Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.

Credits

Vulnerability discovered by Kevin Tu of TMIR at ByteDance.

Release Notes

pyasn1/pyasn1 (pyasn1)

v0.6.3

Compare Source

v0.6.2

Compare Source

v0.6.1

Compare Source

v0.6.0

Compare Source

  • Added support for previously missing RELATIVE-OID construct
    pr #​48
  • Updated link to Layman's Guide
    Now it provides a link to links to a formatted PDF version of the paper,
    at a stable domain (researchgate), using https
    pr #​50
  • Removed support for EOL Python 2.7, 3.6, 3.7
    pr #​56

v0.5.1

Compare Source

  • Added support for PyPy 3.10 and Python 3.12
    pr #​32

  • Updated RTD configuration to include a dummy index.rst
    redirecting to contents.html, ensuring compatibility with
    third-party documentation and search indexes.
    pr #​47

  • Fixed the API breakage wih decoder.decode(substrateFun=...).

    A substrateFun passed to decoder.decode() can now be either
    v0.4 Non-Streaming or v0.5 Streaming. pyasn1 will detect and
    handle both cases transparently.

    A substrateFun passed to one of the new streaming decoders is
    still expected to be v0.5 Streaming only.
    pr #​30
    pr #​39

v0.5.0

Compare Source

  • Change RealEncoder.supportIndefLenMode type to a boolean
    pr #​21

  • Fix CI for py39 test environment
    pr #​25

  • Replace all snmplabs.com links
    issue #​4

  • Use correct SPDX identifier for the license
    pr #​16

  • Re-add tagMap and typeMap module level attributes to all
    encoder and decoder modules. They are aliases for TAG_MAP and
    TYPE_MAP, issue #​9.

  • Restore API for passing for tagMap and typeMap arguments
    to Encoder and Decoder classes by name and position,
    issue #​12.

  • Re-add tagMap and typeMap module level attributes to all
    encoder and decoder modules. They are aliases for TAG_MAP and
    TYPE_MAP, issue #​9.

  • Restore API for passing for tagMap and typeMap arguments
    to Encoder and Decoder classes by name and position,

  • Make BER/CER/DER decoders streaming and suspendible

    The goal of this change is to make the decoder yielding on input
    data starvation and resuming from where it stopped whenever the
    caller decides to try again (hopefully making sure that some more
    input becomes available).

    This change makes it possible for the decoder to operate on streams
    of data (meaning that the entire DER blob might not be immediately
    available on input).

    On top of that, the decoder yields partially reconstructed ASN.1
    object on input starvation making it possible for the caller to
    inspect what has been decoded so far and possibly consume partial
    ASN.1 data.

    All these new feature are natively available through
    StreamingDecoder class. Previously published API is implemented
    as a thin wrapper on top of that ensuring backward compatibility.

  • Added support for Python 3.8, 3.9, 3.10, 3.11

  • Removed support for EOL Pythons 2.4, 2.5, 2.6, 3.2, 3.3, 3.4, 3.5

  • Added support for PyPy 3.7, 3.8, 3.9

  • Modernized packaging and testing. pyasn1 now uses setup.cfg,
    pyproject.toml, build, and
    GitHub Actions.

  • PyPI package ownership for pyasn1 and pyasn1-module has been
    transfered to Christian Heimes and Simon Pichugin in
    PyPI support ticket #​2090.

  • The upstream repositories for pyasn1 and pyasn1-modules are now
    in the GitHub organization https://github.com/pyasn1/.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kokoro:force-run Add this label to force Kokoro to re-run the tests.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@renovate-bot