CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-mxwc-wh95-pw4g: Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler

mediumCVSS 5.3
Summary trapster.libs.dns.decode_labels() decodes DNS names from attacker-supplied UDP packets and recurses once per RFC 1035 compression pointer with no cycle detection and no depth bound. A single unauthenticated UDP datagram sent to the DNS honeypot drives the function past CPython's recursion limit, raising RecursionError. That exception is not handled anywhere on the datagram_received path, so it escapes into the asyncio event loop's default exception handler, the per-packet proxy task is never created, and a low-rate flood produces sustained CPU burn and log flooding (denial of service of the DNS honeypot module). Severity Medium (CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Network-reachable, unauthenticated, single-packet, availability-only against the DNS honeypot listener. Affected component - File: trapster/libs/dns.py, function decode_labels() (called by decode_question_section → decode_dns_message). - Reached from: trapster/modules/dns.py, DnsUdpProtocol.datagram_received() → dns.decode_dns_message(data), where data is the raw attacker UDP payload received by DnsHoneypot on its configured bind address/port. - Version tested: latest main at commit 23156739de23816657cbc4582ad32094ed1cab43. Details decode_labels implements RFC 1035 §4.1.4 name compression: def decode_labels(message, offset): labels = [] while True: length, = struct.unpack_from("!B", message, offset) if (length & 0xC0) == 0xC0: pointer, = struct.unpack_from("!H", message, offset) offset += 2 return labels + decode_labels(message, pointer & 0x3FFF), offset # <-- recurses per pointer ... Each compression pointer triggers a fresh recursive call to decode_labels. There is: - No cycle detection — a pointer that targets its own offset recurses forever. - No depth bound — a chain of distinct forward pointers recurses once per pointer. Either shape exhausts the Python stack and raises RecursionError. decode_dns_message does not catch it, and in DnsUdpProtocol.datagram_received the call

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.3
Published
2026-07-08
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-mxwc-wh95-pw4g

More from GitHub Security Advisories