CVE-2022-40899
Aliases:GHSA-v3c5-jqr6-7qm8PYSEC-2022-42991
Advisory lineage Upstream: 0 Downstream: 12
Modified
Published: 22 Dec 2022, 00:00
Last modified:15 Apr 2025, 15:52
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
0.43% LOW
0% probability +0.05%
KEV
Not listed
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected
Timeline
22 Dec 2022, 00:00
Published
Vulnerability first disclosed
15 Apr 2025, 15:52
Last Modified
Vulnerability information updated
Description
An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.
CVSS Metrics
- v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.43%• Percentile: 63%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- PyPI•future
< 0.18.3
- pythoncharmers•python-future
≤ 0.18.2
References (11)
- https://pypi.org/project/future/
- https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215
- https://github.com/python/cpython/pull/17157
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
- https://github.com/PythonCharmers/python-future/pull/610
- https://nvd.nist.gov/vuln/detail/CVE-2022-40899
- https://github.com/PythonCharmers/python-future/commit/c91d70b34ef0402aef3e9d04364ba98509dca76f
- https://github.com/PythonCharmers/python-future
- https://github.com/pypa/advisory-database/tree/main/vulns/future/PYSEC-2022-42991.yaml
- https://pypi.org/project/future
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages