PyPI: pyasn1

CVE-2026-30922

Safety vulnerability ID: SFTY-20260317-69628

Safety legacy ID: pyup.io-89623

Affected versions of the pyasn1 package are vulnerable to Denial of Service (DoS) due to uncontrolled recursion when decoding deeply nested ASN.1 data. The vulnerability exists in the BER decoder’s indefLenValueDecoder, valueDecoder, and _decodeComponentsSchemaless code paths, where decodeFun is recursively invoked for nested SEQUENCE, SET, SEQUENCE OF, and SET OF elements without enforcing a recursion-depth limit.

PythonPyPINVDNVDGitHubGHSA
Created at: Mar 25, 2026Updated at: Mar 25, 2026

Overview

Denial of Service in pyasn1 via Unbounded Recursion

Advisory

Affected versions of the pyasn1 package are vulnerable to Denial of Service (DoS) due to uncontrolled recursion when decoding deeply nested ASN.1 data. The vulnerability exists in the BER decoder’s indefLenValueDecoder, valueDecoder, and _decodeComponentsSchemaless code paths, where decodeFun is recursively invoked for nested SEQUENCE, SET, SEQUENCE OF, and SET OF elements without enforcing a recursion-depth limit.

Affected Package

Affecting pyasn1 package, versions
< 0.6.3

Also affects

---

How to Fix

Upgrade
pyasn1
to
0.6.3
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more