CVE-2022-45061: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Python before version 3.11.1 affecting the IDNA (RFC 3490) decoder implementation. The vulnerability was identified with CVE identifier CVE-2022-45061 and affects all Python versions prior to 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. The vulnerability exists in the processing path of the IDNA decoder, which contains an unnecessary quadratic algorithm (CVE MITRE, NVD).

The vulnerability stems from an inefficient implementation in the IDNA decoder where processing certain inputs triggers a quadratic time complexity algorithm. When presented with crafted, unreasonably long hostnames, the decoder's processing time increases quadratically with input size. For example, execution times vary significantly: 10 chars = 0.016 seconds, 100 chars = 0.047 seconds, 1000 chars = 2.883 seconds, 2500 chars = 17.724 seconds, and 5000 chars = 1 minute 10 seconds (GitHub Issue).

The vulnerability can lead to a CPU-based denial of service (DoS) condition. Since hostnames are often supplied by remote servers that could be controlled by malicious actors, they could trigger excessive CPU consumption on clients attempting to process attacker-supplied hostnames. A practical attack vector involves placing the payload in the Location header of an HTTP response with status code 302 (CVE MITRE).

The primary mitigation is to upgrade to fixed versions of Python: 3.11.1, 3.10.9, 3.9.16, 3.8.16, or 3.7.16. Various distributions have released security updates addressing this vulnerability, including Fedora, Debian, and Ubuntu. For systems that cannot be immediately updated, there are no documented workarounds, making the upgrade to a patched version the only effective solution (Debian Security).