GHSA-mxwc-wh95-pw4g: Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler
Summary
trapster.libs.dns.decode_labels() decodes DNS names from attacker-supplied UDP packets and recurses once per RFC 1035 compression pointer with no cycle detection and no depth bound. A single unauthenticated UDP datagram sent to the DNS honeypot drives the function past CPython's recursion limit, raising RecursionError. That exception is not handled anywhere on the datagram_received path, so it escapes into the asyncio event loop's default exception handler, the per-packet proxy task is never created, and a low-rate flood produces sustained CPU burn and log flooding (denial of service of the DNS honeypot module).
Severity
Medium (CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Network-reachable, unauthenticated, single-packet, availability-only against the DNS honeypot listener.
Affected component
- File: trapster/libs/dns.py, function decode_labels() (called by decode_question_section → decode_dns_message).
- Reached from: trapster/modules/dns.py, DnsUdpProtocol.datagram_received() → dns.decode_dns_message(data), where data is the raw attacker UDP payload received by DnsHoneypot on its configured bind address/port.
- Version tested: latest main at commit 23156739de23816657cbc4582ad32094ed1cab43.
Details
decode_labels implements RFC 1035 §4.1.4 name compression:
def decode_labels(message, offset):
labels = []
while True:
length, = struct.unpack_from("!B", message, offset)
if (length & 0xC0) == 0xC0:
pointer, = struct.unpack_from("!H", message, offset)
offset += 2
return labels + decode_labels(message, pointer & 0x3FFF), offset # <-- recurses per pointer
...
Each compression pointer triggers a fresh recursive call to decode_labels. There is:
- No cycle detection — a pointer that targets its own offset recurses forever.
- No depth bound — a chain of distinct forward pointers recurses once per pointer.
Either shape exhausts the Python stack and raises RecursionError. decode_dns_message does not catch it, and in DnsUdpProtocol.datagram_received the call
Details
Original advisory: https://github.com/advisories/GHSA-mxwc-wh95-pw4g
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10