PyPI: pyasn1

CVE-2026-23490

Safety vulnerability ID: SFTY-20260116-60729

Safety legacy ID: pyup.io-84605

Affected versions of the pyasn1 package are vulnerable to Denial of Service (DoS) due to unbounded decoding of malformed RELATIVE-OID values with excessive continuation octets. In pyasn1/codec/ber/decoder.py, the BER decoder logic is used by pyasn1.codec.ber.decoder.decode() grows the RELATIVE-OID/OBJECT IDENTIFIER value via the reloid += ((subId << 7) + nextSubId,) accumulation without enforcing a reasonable limit on the number of continuation octets or the resulting object size, which can trigger memory exhaustion during parsing.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 13, 2026Updated at: Mar 13, 2026

Overview

pyasn1 has a DoS vulnerability in decoder

Advisory

Affected versions of the pyasn1 package are vulnerable to Denial of Service (DoS) due to unbounded decoding of malformed RELATIVE-OID values with excessive continuation octets. In pyasn1/codec/ber/decoder.py, the BER decoder logic is used by pyasn1.codec.ber.decoder.decode() grows the RELATIVE-OID/OBJECT IDENTIFIER value via the reloid += ((subId << 7) + nextSubId,) accumulation without enforcing a reasonable limit on the number of continuation octets or the resulting object size, which can trigger memory exhaustion during parsing.

Affected Package

Affecting pyasn1 package, versions
==0.6.1

Also affects

---

How to Fix

Upgrade
pyasn1
to
0.6.2
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more