VYPR
← All advisories
High severityNVD Advisory· Published Mar 3, 2022· Updated Apr 22, 2025

Buffer Overflow in Twisted

CVE-2022-21716

Description

Twisted is an event-based framework for internet applications, supporting Python 3.6+. Prior to 22.2.0, Twisted SSH client and server implement is able to accept an infinite amount of data for the peer's SSH version identifier. This ends up with a buffer using all the available memory. The attach is a simple as nc -rv localhost 22 < /dev/zero. A patch is available in version 22.2.0. There are currently no known workarounds.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
twistedPyPI
>= 21.7.0, < 22.2.022.2.0

Affected products

1

Patches

2
89c395ee794e

Update the release date.

https://github.com/twisted/twistedAdi RoibanMar 1, 2022via ghsa
commit
1 file changed · +2 2
  • NEWS.rst+2 2 modified
    @@ -3,8 +3,8 @@ http://twistedmatrix.com/trac/ticket/<number>
 
 .. towncrier release notes start
 
-Twisted 22.2.0.rc1 (2022-02-08)
-===============================
+Twisted 22.2.0 (2022-03-01)
+===========================
 
 Bugfixes
 --------
98387b39e9f0

Merge pull request from GHSA-rv6r-3f5q-9rgx

https://github.com/twisted/twistedAdi RoibanFeb 8, 2022via ghsa
commit
3 files changed · +33 0
  • src/twisted/conch/ssh/transport.py+9 0 modified
    @@ -728,6 +728,15 @@ def dataReceived(self, data):
         """
         self.buf = self.buf + data
         if not self.gotVersion:
+
+            if len(self.buf) > 4096:
+                self.sendDisconnect(
+                    DISCONNECT_CONNECTION_LOST,
+                    b"Peer version string longer than 4KB. "
+                    b"Preventing a denial of service attack.",
+                )
+                return
+
             if self.buf.find(b"\n", self.buf.find(b"SSH-")) == -1:
                 return
  • src/twisted/conch/test/test_transport.py+22 0 modified
    @@ -515,6 +515,28 @@ def test_sendVersion(self):
         )
         self.assertRegex(softwareVersion, softwareVersionRegex)
 
+    def test_dataReceiveVersionNotSentMemoryDOS(self):
+        """
+        When the peer is not sending its SSH version but keeps sending data,
+        the connection is disconnected after 4KB to prevent buffering too
+        much and running our of memory.
+        """
+        sut = MockTransportBase()
+        sut.makeConnection(self.transport)
+
+        # Data can be received over multiple chunks.
+        sut.dataReceived(b"SSH-2-Server-Identifier")
+        sut.dataReceived(b"1234567890" * 406)
+        sut.dataReceived(b"1235678")
+        self.assertFalse(self.transport.disconnecting)
+
+        # Here we are going over the limit.
+        sut.dataReceived(b"1234567")
+        # Once a lot of data is received without an SSH version string,
+        # the transport is disconnected.
+        self.assertTrue(self.transport.disconnecting)
+        self.assertIn(b"Preventing a denial of service attack", self.transport.value())
+
     def test_sendPacketPlain(self):
         """
         Test that plain (unencrypted, uncompressed) packets are sent
  • src/twisted/newsfragments/10284.bugfix+2 0 added
    @@ -0,0 +1,2 @@
+twisted.conch.ssh.transport.SSHTransportBase now disconnects the remote peer if the
+SSH version string is not sent in the first 4096 bytes.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

17

News mentions

0

No linked articles in our index yet.