CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.

Published: Jan 30, 2020
Updated: Nov 9, 2025
CVE: CVE-2020-8492
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CVSS v2:

Severity: High
Score: 7.1
AV:N/AC:M/Au:N/C:N/I:N/A:C

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
python / python	3.8.0	3.8.1.x
python / python	3.7.0	3.7.6.x
python / python	3.6.0	3.6.10.x
python / python	3.5.0	3.5.9.x
python / python	2.7.0	2.7.17.x
opensuse / leap	15.1	15.1.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	19.10	19.10.x
canonical / ubuntu_linux	20.04	20.04.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	12.04	12.04.x
fedoraproject / fedora	31	31.x
fedoraproject / fedora	32	32.x
debian / debian_linux	9.0	9.0.x

Vulnerability Database

300,214

CVE-2020-8492

Deep Security Visibility Without the Complexity