GHSA-WCJX-V2WJ-XG87: Denial of Service via Uncontrolled Recursion in pyasn1

The c2cciutils package relies heavily on the pyasn1 library for processing Abstract Syntax Notation One (ASN.1) data structures. The pyasn1 library implements decoders for several encoding standards, including Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER). Prior to version 0.6.3, the BER decoder contained a structural flaw in its handling of nested ASN.1 constructed types.

This flaw manifests as an uncontrolled recursion vulnerability, formally categorized under CWE-674. When the decoder encounters a constructed type, such as a SEQUENCE or SET, it invokes itself to process the inner elements of the data structure. The pre-patch implementation failed to limit the depth of these recursive function calls.

An attacker exploits this behavior by supplying a specially crafted ASN.1 payload containing an excessive number of nested tags. Processing this payload forces the Python interpreter to exceed its maximum allowed recursion depth or exhausts available system memory. Both outcomes result in an immediate Denial of Service (DoS) condition, terminating the application abruptly.

The vulnerability originates in the parsing logic defined within pyasn1/codec/ber/decoder.py. The Decoder.__call__ method acts as the primary entry point for parsing incoming ASN.1 tags and extracting their associated data values. The ASN.1 standard permits constructed types to contain other elements, creating complex hierarchical data structures.

To parse these nested structures, the decoder implementation utilized direct recursion. Upon detecting a tag indicating a constructed type within the byte stream, the Decoder.__call__ method initiated a new decoding cycle specifically for the nested content. This recursive descent parsing strategy is common, but it requires strict boundary enforcement to maintain stability.

The critical failure in the pyasn1 design was the complete absence of state tracking across these recursive boundaries. The method did not maintain a counter of the current nesting level, nor did it enforce any upper bound on the recursion depth. Consequently, the depth of the call stack was limited solely by the execution limits of the Python runtime environment or the physical memory of the host system.

The pre-patch implementation of the BER decoder processed elements blindly, without any awareness of the overall structure depth. The parsing loop continuously invoked the decoding function for each nested element discovered in the payload, adding a new frame to the call stack for every layer.

The patch introduced in pyasn1 version 0.6.3 mitigates this design flaw by implementing explicit depth tracking. A constant, MAX_NESTING_DEPTH, is established with a strict default value of 100. The options dictionary, which is securely passed through the recursive calls, now serves as the state carrier for the current structure depth.

# Patch implementation in pyasn1/codec/ber/decoder.py
_nestingLevel = options.get('_nestingLevel', 0)
if _nestingLevel > MAX_NESTING_DEPTH:
    raise error.PyAsn1Error(
        'ASN.1 structure nesting depth exceeds limit (%d)' % MAX_NESTING_DEPTH
    )
options['_nestingLevel'] = _nestingLevel + 1

The method extracts _nestingLevel from the options dictionary, defaulting to 0 for the initial call. It validates this integer against MAX_NESTING_DEPTH. If the limit is exceeded, the decoder immediately halts processing and explicitly raises a controlled PyAsn1Error. Otherwise, it increments the counter and proceeds with the recursive execution.

Exploitation requires the attacker to submit a malformed ASN.1 payload to an endpoint that processes the data using a vulnerable version of pyasn1. The attack leverages the Indefinite-Length SEQUENCE tag, which is represented in BER encoding by the specific byte sequence 0x30 0x80.

The 0x30 byte identifies a SEQUENCE type, while the 0x80 byte indicates that the sequence possesses an indefinite length. An indefinite-length sequence must eventually be terminated by a specific End-of-Contents (EOC) marker. By repeating the 0x30 0x80 bytes continuously, the attacker generates a payload consisting entirely of unclosed, infinitely nested sequences.

from pyasn1.codec.ber import decoder
from pyasn1 import error
 
# Generates 500 nested Indefinite-Length SEQUENCE tags
poc_payload = b'\x30\x80' * 500
 
try:
    decoder.decode(poc_payload)
except RecursionError:
    print("Vulnerability confirmed: RecursionError triggered.")

When this payload is passed to decoder.decode(), the library blindly attempts to resolve the deep structure. The Python interpreter detects the excessive call stack depth and raises a RecursionError, abruptly terminating the application's execution flow. No authentication or complex setup is required to achieve this state.

The primary impact of this vulnerability is a denial of service against the specific application or microservice processing the ASN.1 data. The CVSS v3.1 base score of 7.5 accurately reflects the high availability impact. The attack executes remotely over the network without requiring authentication or user interaction.

The denial of service manifests in two primary ways depending on the execution environment. The most common and immediate outcome is stack exhaustion. The standard Python interpreter enforces a default recursion limit, typically set to 1000 frames. The malicious payload forces the interpreter to hit this limit, triggering an unhandled RecursionError that crashes the active process.

In environments where developers have artificially raised the Python recursion limit using sys.setrecursionlimit(), the vulnerability degrades into memory exhaustion. Each recursive call allocates a new stack frame and instantiates temporary parsing objects. The excessive nesting consumes all available system memory, ultimately leading to an Out-Of-Memory (OOM) kill by the host operating system.

The fundamental remediation strategy is to update the pyasn1 dependency to version 0.6.3 or later. For dependent projects like c2cciutils, administrators must update the project's dependency lock files to ensure the patched version is explicitly pulled during the build process.

Organizations must verify the deployment of the update across all environments using Software Composition Analysis (SCA) tools. The update guarantees that the decoder safely rejects excessively nested payloads. Instead of crashing the application, the parser raises a controlled PyAsn1Error which can be caught and handled gracefully by the application logic.

In network architectures where immediate patching is strictly impossible, ingress mitigations can be applied. Implement rigid payload size limits at the Web Application Firewall (WAF) or API gateway layer. While this does not resolve the underlying parsing flaw, it physically restricts the attacker's ability to deliver the large byte structures required to trigger the deep recursion paths.