Python HTML Parser Denial-of-Service Vulnerability Due to Quadratic Complexity

A denial-of-service vulnerability has been identified in the Python HTML parser's HTMLParser class, specifically in versions 3.9 through 3.14. This vulnerability arises from a worst-case quadratic complexity when the parser processes certain crafted malformed inputs. Such complexity can be exploited to amplify denial-of-service conditions, causing the parser to slow down significantly under specific scenarios.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, where the HTML parser becomes significantly slower, causing delays in processing that can disrupt normal application performance.

Reproduction

The vulnerability can be reproduced by using the HTMLParser class to parse specially crafted HTML inputs that exploit the quadratic complexity. This can be done by creating a test that feeds the parser with inputs designed to trigger the worst-case performance, such as nested tags or comments that the parser must process extensively.

Remediation

Users can upgrade to Python versions 3.15 or later, where this vulnerability has been addressed.