CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-MXWC-WH95-PW4G

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 8, 2026·6 min read·4 visits

Executive Summary (TL;DR)

Unauthenticated malformed DNS compression pointers trigger uncontrolled recursion in the packet decoder, crashing the per-packet handler.

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

Vulnerability Overview

The trapster package is an open-source, Python-based honeypot framework designed to detect malicious network scanning and reconnaissance activity. It emulates multiple network services, exposing specialized listeners that collect incoming payloads and catalog attacking hosts.

Among its modules is a Domain Name System (DNS) honeypot listener. This listener binds to a specified UDP interface and port, processing unauthenticated packets directly from the network. Because of its exposed nature, this listener represents a primary attack surface for any remote, unauthenticated threat actor targeting the system.

A severe flaw in the DNS parser allows attackers to crash the honeypot handler remotely. The vulnerability stems from uncontrolled recursion (CWE-674) within the packet-parsing logic of the DNS module. By sending carefully crafted DNS packets, a remote attacker can exhaust system resources and render the honeypot completely non-functional.

Root Cause Analysis

To optimize packet sizes, RFC 1035 specifies a mechanism called DNS name compression. Instead of repeating identical domain name labels, the protocol permits a label to point to a prior offset within the same message where the domain name is already defined. A compression pointer is identified when the first two bits of a length byte are set to 11 (binary 11000000 or hex 0xC0).

The vulnerability resides in the decode_labels() function inside trapster/libs/dns.py. When encountering the 0xC0 byte sequence, the function extracts the target offset and recursively calls decode_labels() to resolve the compressed string. It fails to maintain state or verify whether the target offset has already been processed during the execution of the current request.

Because there is no cycle detection or recursion limit, an attacker can exploit this omission by passing a circular reference. Additionally, the parser does not enforce a recursion depth limit, meaning even non-cyclic but highly chained pointer offsets can trigger a stack overflow. When CPython encounters these inputs, it raises a RecursionError and halts processing.

Code Analysis

An analysis of the vulnerable source code in trapster/libs/dns.py reveals the following structural implementation:

def decode_labels(message, offset):
    labels = []
    while True:
        length, = struct.unpack_from("!B", message, offset)
        if (length & 0xC0) == 0xC0:
            pointer, = struct.unpack_from("!H", message, offset)
            offset += 2
            # Vulnerable recursive call
            return labels + decode_labels(message, pointer & 0x3FFF), offset

The recursive call decode_labels(message, pointer & 0x3FFF) accepts any arbitrary offset parsed from the network packet without enforcing any upper boundaries or monotonic progression restrictions. An attacker-controlled pointer can point backwards, forwards, or to itself, leading to infinite loops or deep exhaustion of the stack.

To remediate this root cause, the function must be refactored into an iterative structure. A safe implementation tracks the maximum allowed offset, ensuring that any subsequent compression pointer strictly references a decreasing index within the packet byte array, thereby preventing cycles entirely. The following code snippet shows a robust, hardened iterative version:

def decode_labels(message, offset):
    labels = []
    return_offset = None
    max_allowed_pointer = len(message)
    while True:
        length, = struct.unpack_from("!B", message, offset)
        if (length & 0xC0) == 0xC0:
            pointer, = struct.unpack_from("!H", message, offset)
            if return_offset is None:
                return_offset = offset + 2
            target = pointer & 0x3FFF
            if target >= max_allowed_pointer:
                raise ValueError("invalid DNS compression pointer")
            max_allowed_pointer = target
            offset = target
            continue

Exploitation Methodology

Exploitation of this vulnerability is highly operationalizable and requires zero prerequisites. Because the honeypot binds to a public-facing UDP port to catch scanning attempts, the attack payload can be delivered in a single, unauthenticated UDP packet.

The first vector (Vector A) employs a self-referential compression pointer. The attacker builds a DNS query where a label pointer references its own offset (for example, offset 12). When the parser reads offset 12, it encounters 0xC00C, leading to an immediate loop that exhausts Python's recursion limit.

The second vector (Vector B) constructs a deep pointer chain. The packet contains a highly nested list of pointers that link to one another sequentially. This allows an attacker to trigger a stack crash even if the implementation checks for direct circular references, as the cumulative recursion depth exceeds Python's default stack frame limit.

Because the DNS server implementation in trapster fails to capture parsing-related exceptions inside DnsUdpProtocol.datagram_received(), the raised RecursionError escapes the task handler and propagates to the main asyncio event loop. This leads to thread instability, massive log generation, and a persistent Denial of Service.

Impact Assessment

While this vulnerability does not allow remote code execution or unauthorized access to system data, its security impact remains highly significant for monitoring infrastructure. The primary consequence is a complete Denial of Service (DoS) of the DNS honeypot listener.

Honeypots serve as a critical early warning system for enterprise networks, logging pre-attack scanning and mapping active threats. By disabling the trapster listener, an attacker can blind the security team, executing subsequent attacks and scanning networks without triggering alerts.

The CVSS v3.1 base score is assessed at 5.3, with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. Although the availability impact is classified as low under standard CVSS metrics because it does not crash the host operating system, it completely neutralizes the functional utility of the security tool.

Remediation and Mitigation

Remediation of this vulnerability requires updating the DNS module to use an iterative label parsing algorithm. Security administrators should deploy the iterative refactoring of decode_labels() as shown in the code analysis section to prevent pointer loops.

In addition to parsing corrections, the core network listener in trapster/modules/dns.py must be hardened. The calling logic should handle parsing errors locally instead of allowing raw exceptions to escape into the underlying event loop. The protocol handler should wrap the decode sequence in a standard try-except structure:

try:
    message = dns.decode_dns_message(data)
except (ValueError, IndexError, struct.error) as err:
    self.logger.warning(f"Malformed DNS packet received: {err}")
    return

Implementing both the iterative parser and local exception containment provides complete protection against variant compression attacks and ensures service stability during hostile network exposure.

Technical Appendix

CVSS Score
5.3/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected Systems

trapster honeypot daemon

Affected Versions Detail

Product
Affected Versions
Fixed Version
trapster
0xBallpoint
<= 1.2.0-
AttributeDetail
CWE IDCWE-674
Attack VectorNetwork (UDP)
CVSS v3.15.3 (Medium)
Exploit StatusProof-of-Concept Available
ImpactDenial of Service (DoS)

MITRE ATT&CK Mapping

T1499.004Endpoint DoS: Application Exhaustion
Impact
CWE-674
Uncontrolled Recursion

The software does not properly control the recursion depth or cycle detection when handling nested structures, leading to a stack exhaustion or crash.

Vulnerability Timeline

Vulnerability identified in private audit of DNS parsing engine
2026-06-15
Coordinated disclosure and publication of GHSA-MXWC-WH95-PW4G
2026-07-08

References & Sources

  • [1]GitHub Security Advisory GHSA-MXWC-WH95-PW4G
  • [2]Target Project Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
3 views•5 min read
•about 2 hours ago•CVE-2026-49471
8.3

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

Alon Barad
Alon Barad
6 views•5 min read
•about 3 hours ago•GHSA-Q95X-7G78-RCCV
6.3

GHSA-Q95X-7G78-RCCV: Safe Rust Memory Corruption via Use-After-Free in oneringbuf Crate

A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 16 hours ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
71 views•5 min read
•about 16 hours ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
26 views•6 min read
•about 21 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
8 views•5 min read