CVE-2021-28667: StackStorm st2 Infinite Loop Condition
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.70449%
CWE
Published
5/24/2022
Updated
8/7/2023
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| st2client | pip | < 3.4.1 | 3.4.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from StackStorm's custom logging handler for stderr data. The advisory and blog post describe a scenario where byte string decoding in logging enters an infinite loop under specific locale conditions. The _handle_stderr_line function is explicitly mentioned in StackStorm's post-mortem as the location where decoding logic was modified to strip non-ASCII characters, confirming its role in the vulnerability. The file path is inferred from standard StackStorm logging configuration patterns and the nature of the fix described.