Overview
CVE-2020-10735 is a vulnerability found in the C implementation of Python. According to CVE Mitre, this vulnerability was first disclosed on March 20th, 2020. The first issue opened in the GitHub repo for CPython was on September 5th, 2022, and it was published to the National Vulnerability Database on September 9th. The bug was officially patched in Python versions x.x.14 on September 6.
The Core Issue
The flaw essentially was, in algorithms that ran in quadratic time complexity O(n²) using non-binary bases (such as base 10), the function
int()could take in a string integer with 100,000 digits and finish parsing in 5ms, while for 1,000,000 digits it could take 50s.
Large integer strings could significantly slow the system to be unresponsive, resulting in a denial of service condition.
Mitigation and Fix
As of 2024, this vulnerability has been patched in Python 3.7, 3.8, and 3.12. The fix established a maximum string digit limit of 4300. The development team selected this value because it was high enough for common library usage while protecting systems with less powerful CPUs from DoS attacks. Users requiring a larger limit can modify the global environment setting using sys.set_int_max_str_digits().
Demonstration
To demonstrate the vulnerability, create a Python script that converts large integer strings:
import time
start_time = time.time()
fac = 1000000
int("2" + "0" * fac)
end_time = time.time()
print(f"{fac} time: {end_time - start_time} seconds")
Python 3.12.0 with the fix applied will return an error for this input due to the digit limit.
To test the vulnerability, disable the protection:
import sys
import time
sys.set_int_max_str_digits(0)
Results demonstrate that conversion time increases dramatically with each additional digit, illustrating how attackers could overwhelm system resources.
Real-World Impact
Most popular applications are protected through input size limits implemented by web servers. However, the vulnerability remains relevant in specific scenarios. An example would be IBM's BMC firmware. BMC firmware version OP910 utilizes Python to help handle HTTPS requests, and although Python is not used to process the request body, if someone with BMC administrator privilege uses Python directly in the command line, the system can be vulnerable to CVE-2020-10735 if an attempt is made to process very large strings of numbers.
Detection and Root Cause
An intrusion detection system can identify exploitation attempts by monitoring excessive CPU or memory consumption and scanning for large processing requests. Operating system trace logs reveal high resource usage.
The vulnerability stems from the character-by-character parsing loop:
while (_PyLong_DigitValue[Py_CHARMASK(*scan)] < base || *scan == '_') {
. . .
++scan;
}
Conclusion
CVE-2020-10735 is a good example of why we need to take the time to write code that is secure; without a basic limiter on max string digits, our system is vulnerable to denial of service when attempting to use int() to process very large integer strings.