CVE-2021-3737: High severity Python Python vulnerability

Published Aug 9, 2021
·
Updated

A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability.

Other sources

HTTP client can get stuck infinitely reading len(line) < 64k lines after receiving a '100 Continue' HTTP response. This could lead to the client being a bandwidth sink for anyone in control of a server.

References:

https://bugs.python.org/issue44022 https://github.com/python/cpython/pull/25916 https://github.com/python/cpython/pull/26503 https://build.opensuse.org/package/viewfile/devel:languages:python:Factory/python/bpo44022-fix-http-client-infinite-line-reading-after-a-HTTP-100-Continue.patch?expand=1 https://bugzilla.redhat.com/showbug.cgi?id=1991918

Red Hat

Python is vulnerable to a denial of service, caused by improper handling of HTTP response in the HTTP client code. By persuading a victim to visit a specially-crafted web site, a remote attacker could exploit this vulnerability to cause the client script enter an infinite loop, and results in a denial of service condition.

IBM

Affected Software

43 affected componentsFixes available
redhat/python3<0:3.6.8-45.el8
0:3.6.8-45.el8
redhat/python27-python<0:2.7.18-4.el7
0:2.7.18-4.el7
Python Python>=3.6.0<3.6.14
Python Python>=3.7.0<3.7.11
Python Python>=3.8.0<3.8.11
Python Python>=3.9.0<3.9.6
redhat Codeready Linux Builder=8.0
redhat Codeready Linux Builder For Ibm Z Systems=8.0
redhat Codeready Linux Builder For Power Little Endian=8.0
redhat Enterprise Linux=6.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux For Ibm Z Systems=8.0
redhat Enterprise Linux For Power Little Endian=8.0
Fedoraproject Fedora=33
Fedoraproject Fedora=34
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
Canonical Ubuntu Linux=20.04
Canonical Ubuntu Linux=21.04
NetApp Hci
NetApp Management Services For Element Software
NetApp Netapp Xcp Smb
NetApp ONTAP Select Deploy administration utility
NetApp Xcp Nfs
Oracle Communications Cloud Native Core Binding Support Function=22.1.3
Oracle Communications Cloud Native Core Network Exposure Function=22.1.1
Oracle Communications Cloud Native Core Policy=22.2.0
IBM Cognos Analytics 11.2.x<=IBM Cognos Analytics 11.2.x
IBM Cognos Analytics 11.1.x<=IBM Cognos Analytics 11.1.x
redhat/python<3.6.14
3.6.14
redhat/python<3.7.11
3.7.11
redhat/python<3.8.11
3.8.11
redhat/python<3.9.6
3.9.6
debian/pypy3<=7.3.5+dfsg-2+deb11u2
7.3.5+dfsg-2+deb11u57.3.11+dfsg-2+deb12u37.3.19+dfsg-27.3.20+dfsg-4
debian/python2.7<=2.7.18-8+deb11u1
debian/python3.9<=3.9.2-1
3.9.2-1+deb11u3
F5 BIG-IP=21.0.0
F5 BIG-IP>=17.5.0<=17.5.1, >=17.1.0<=17.1.3
F5 BIG-IP>=16.1.0<=16.1.6
F5 F5OS-A>=1.8.0<=1.8.3, >=1.5.1<=1.5.4
F5 F5OS-C>=1.8.0<=1.8.2, >=1.6.0<=1.6.4

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=1995162

Patch Available

https://github.com/python/cpython/pull/25916

Patch Available

https://github.com/python/cpython/pull/26503

Patch Available

https://python-security.readthedocs.io/vuln/urllib-100-continue-loop.html

Patch Available

https://ubuntu.com/security/CVE-2021-3737

Patch Available

https://www.oracle.com/security-alerts/cpujul2022.html

Event History

Aug 9, 2021
CVE Published
12:00 AM
Aug 18, 2021
Data Sourced
via Red Hat·02:50 PM
DescriptionSeverityAffected Software
Mar 4, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
DescriptionWeakness
Data Sourced
via NVD·07:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·11:58 PM
Description
Nov 5, 2025
Data Sourced
via Ubuntu·09:55 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Debian·09:56 PM
DescriptionAffected Software
Feb 5, 2026
Advisory Published
via F5·10:02 PM
Data Sourced
via F5·10:02 PM
DescriptionSeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-3737?

CVE-2021-3737 is a vulnerability in Python that allows a remote attacker to cause a denial of service by making the client script enter an infinite loop.

2

What is the severity of CVE-2021-3737?

The severity of CVE-2021-3737 is high with a CVSS score of 7.5.

3

How does CVE-2021-3737 affect Python?

CVE-2021-3737 affects Python versions 3.6.0 to 3.6.14, 3.7.0 to 3.7.11, 3.8.0 to 3.8.11, and 3.9.0 to 3.9.6.

4

How can I fix CVE-2021-3737?

To fix CVE-2021-3737, update Python to version 3.6.15, 3.7.12, 3.8.12, or 3.9.7, depending on your installed version.

5

Where can I find more information about CVE-2021-3737?

You can find more information about CVE-2021-3737 on the official Python bug tracker and GitHub repository.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203