Advisory Database
  • Advisories
  • Dependency Scanning
  1. pypi
  2. ›
  3. trapster
  4. ›
  5. GHSA-mxwc-wh95-pw4g

GHSA-mxwc-wh95-pw4g: Trapster Community: Unauthenticated malformed DNS compression pointers crash per-packet honeypot handler

July 8, 2026

trapster.libs.dns.decode_labels() decodes DNS names from attacker-supplied UDP packets and recurses once per RFC 1035 compression pointer with no cycle detection and no depth bound. A single unauthenticated UDP datagram sent to the DNS honeypot drives the function past CPython’s recursion limit, raising RecursionError. That exception is not handled anywhere on the datagram_received path, so it escapes into the asyncio event loop’s default exception handler, the per-packet proxy task is never created, and a low-rate flood produces sustained CPU burn and log flooding (denial of service of the DNS honeypot module).

References

  • github.com/0xBallpoint/trapster-community/security/advisories/GHSA-mxwc-wh95-pw4g
  • github.com/advisories/GHSA-mxwc-wh95-pw4g

Code Behaviors & Features

Detect and mitigate GHSA-mxwc-wh95-pw4g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions up to 1.2.0

Solution

Unfortunately, there is no solution available yet.

Impact 5.3 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Learn more about CVSS

Weakness

  • CWE-674: Uncontrolled Recursion

Source file

pypi/trapster/GHSA-mxwc-wh95-pw4g.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 09 Jul 2026 12:18:12 +0000.