Platform
python
Component
numpy
Fixed in
1.13.3
CVE-2017-12852 describes a Denial of Service (DoS) vulnerability within the NumPy library, specifically impacting versions up to 1.9.3. This flaw resides in the numpy.pad function, where inadequate input validation allows an attacker to induce an infinite loop. Exploitation can effectively halt the execution of applications relying on NumPy, resulting in service disruption. A patch is available in version 1.13.3.
The primary impact of CVE-2017-12852 is a denial of service. An attacker can exploit this vulnerability by crafting malicious input – specifically, an empty list or NumPy ndarray – and passing it to the numpy.pad function. This triggers an infinite loop within the padding process, consuming excessive CPU resources and potentially freezing the application or system. The blast radius is dependent on the application's reliance on NumPy; any application using vulnerable versions is susceptible. While no direct data exfiltration is possible, the DoS can disrupt critical services and prevent legitimate users from accessing resources. This vulnerability is particularly concerning in environments where NumPy is used in high-performance computing or data processing pipelines.
CVE-2017-12852 was published on August 15, 2017. There is no indication of this vulnerability being actively exploited in the wild, and it is not currently listed on KEV or EPSS. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if a vulnerable system is exposed. Public proof-of-concept (POC) code exists demonstrating the vulnerability, making it relatively easy for attackers to exploit.
Exploit Status
EPSS
0.81% (74% percentile)
CVSS Vector
The recommended mitigation for CVE-2017-12852 is to upgrade to NumPy version 1.13.3 or later, which includes the necessary input validation fix. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. One potential workaround involves validating the input to numpy.pad before calling the function, ensuring that it is not an empty list or ndarray. While not a complete solution, this can prevent the infinite loop. Monitor system resources (CPU usage) for unusual spikes that might indicate exploitation. After upgrading, confirm the fix by attempting to pad an empty array and verifying that the process completes without entering an infinite loop.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-12852 is a Denial of Service vulnerability in NumPy versions 1.9.3 and earlier. An attacker can trigger an infinite loop in the numpy.pad function, causing a DoS.
If you are using NumPy version 1.9.3 or earlier, you are potentially affected. Check your NumPy version using pip show numpy or python -c "import numpy; print(numpy.version)".
Upgrade to NumPy version 1.13.3 or later. This version includes a fix for the input validation issue that causes the DoS vulnerability.
There is no current evidence of CVE-2017-12852 being actively exploited in the wild, but public POC code exists.
Refer to the NumPy security advisories and the related discussion on the NumPy mailing list for details: https://github.com/numpy/numpy/issues/9384
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.