Python CPython Unicodedata Normalization Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Python's CPython implementation, specifically within the unicodedata.normalize() function. This issue arises when the function processes specially crafted Unicode input that includes long sequences of combining characters with alternating Canonical Combining Class values. Such input can cause the normalization process to exhibit quadratic time complexity, leading to excessive CPU usage. A payload of approximately 0.5MB can consume over 30 seconds of processing time. This vulnerability affects all normalization forms.

Impact

Exploitation of this vulnerability can lead to significant CPU resource consumption, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling the unicodedata.normalize() function with a string that contains long runs of combining characters. These characters should be arranged in a way that their Canonical Combining Class values alternate, creating a scenario where the normalization process becomes inefficient. This can be done by crafting a payload that meets these criteria and then measuring the CPU time taken to process it.

Remediation

Users can update to the latest version of CPython, where this vulnerability has been addressed. Instructions for updating CPython can be found in the official Python documentation.