CVE-2022-40899

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Python Charmers Future versions 0.18.2 and earlier

Description The issue is related to improper input validation when handling the Set-Cookie header, allowing a remote attacker to send a specially crafted HTTP request and perform a denial of service attack using regular expressions, specifically a ReDoS attack. This can lead to excessive CPU usage.

Recommendations For versions 0.18.2 and earlier, update to version 0.18.3 to resolve the issue. As a temporary workaround, consider restricting access to the Set-Cookie header to minimize the risk of exploitation. Avoid using the Set-Cookie header in the affected API endpoint until the issue is resolved.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-185CWE-400

Related Identifiers

ALT-PU-2023-1823

ALT-PU-2025-11603

BDU:2023-02446

CVE-2022-40899

GHSA-V3C5-JQR6-7QM8

MGASA-2023-0030

OESA-2023-1176

OPENSUSE-SU-2023_0079-1

OPENSUSE-SU-2024:12597-1

PYSEC-2022-42991

RHSA-2023:2101

RHSA-2023:4466

RHSA-2023:6818

RLSA-2023:6818

SUSE-SU-2023:0076-1

SUSE-SU-2023:0078-1

SUSE-SU-2023:0079-1

SUSE-SU-2023:0080-1

SUSE-SU-2023:0663-1

SUSE-SU-2023_0076-1

SUSE-SU-2023_0078-1

SUSE-SU-2023_0079-1

SUSE-SU-2023_0080-1

SUSE-SU-2023_0663-1

USN-5833-1

Affected Products

Alt Linux

Astra Linux

Debian

Linuxmint

Python Charmers Future

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2022-40899

Weakness Enumeration

Related Identifiers

Affected Products

References · 49