Security Report
Hi Richard, I identified several security vulnerabilities in python-whois during a code audit. Since private vulnerability reporting (PVRA) is not enabled on this repository, I'm filing this as an issue. I'm happy to discuss any of these findings or submit a PR with fixes.
Reporter: Conner Webber (conner.webber000@gmail.com)
1. Regex Injection in findwhois_server (HIGH — CWE-94/CWE-1333)
File: whois/whois.py, lines 134-137
match = re.compile(
r"Domain Name: {}\s*.*?Whois Server: (.*?)\s".format(query),
flags=re.IGNORECASE | re.DOTALL,
).search(buf)The query parameter (user-supplied domain name) is inserted directly into re.compile() via .format(query) with no re.escape(). This enables:
- ReDoS: A domain containing regex metacharacters like
(a+)+$ causes catastrophic backtracking
- Regex semantics manipulation: Injecting
.* or capture groups alters matching behavior
- Potential WHOIS server redirection: Capture group injection can interfere with
match.group(1), potentially redirecting to an attacker-controlled server
Fix: re.escape(query) — one-line change.
2. SSRF via WHOIS Referral Following (MEDIUM — CWE-918)
File: whois/whois.py, lines 278-283
The library parses Whois Server: from WHOIS responses and connects to whatever hostname is specified. The only validation is checking for / in the hostname. There is no filtering of private/internal IP ranges (RFC 1918, loopback, link-local, cloud metadata endpoints like 169.254.169.254).
A malicious or compromised WHOIS server can redirect the client to internal network services on port 43.
Fix: Add private IP range filtering before connecting to referral servers.
3. Unbounded Memory from WHOIS Response (MEDIUM — CWE-400)
File: whois/whois.py, lines 270-274
while True:
d = s.recv(4096)
response += d
if not d:
breakThe recv loop has no maximum size limit. A malicious WHOIS server can send unlimited data, causing unbounded memory allocation.
Fix: Add MAX_WHOIS_RESPONSE size check (e.g., 10 MB).
4. Unbounded Recursion via Referral Chains (MEDIUM — CWE-674)
File: whois/whois.py, lines 275-283
The whois() method recursively follows referrals with no depth limit. A chain of servers each referring to the next causes RecursionError.
Fix: Add a depth parameter with a maximum (e.g., 10).
5. No Domain Input Validation (MEDIUM — CWE-20)
File: whois/__init__.py, lines 46-76
The public whois() function accepts arbitrary strings with zero validation — no format check, length limit, or character filtering. This feeds unvalidated input into vulnerability #1.
Fix: Add RFC 1035 domain name validation.
Summary
| # |
Vulnerability |
Severity |
CWE |
Fix Complexity |
| 1 |
Regex Injection (ReDoS) |
HIGH |
CWE-94/CWE-1333 |
One line (re.escape) |
| 2 |
SSRF via referral |
MEDIUM |
CWE-918 |
~10 lines |
| 3 |
Unbounded memory |
MEDIUM |
CWE-400 |
~3 lines |
| 4 |
Unbounded recursion |
MEDIUM |
CWE-674 |
~5 lines |
| 5 |
No input validation |
MEDIUM |
CWE-20 |
~10 lines |
I'm available to submit a PR with all fixes if that would be helpful. I'd also recommend enabling GitHub's private vulnerability reporting for future reports.
90-day disclosure timeline: June 6, 2026.
Security Report
Hi Richard, I identified several security vulnerabilities in
python-whoisduring a code audit. Since private vulnerability reporting (PVRA) is not enabled on this repository, I'm filing this as an issue. I'm happy to discuss any of these findings or submit a PR with fixes.Reporter: Conner Webber (conner.webber000@gmail.com)
1. Regex Injection in
findwhois_server(HIGH — CWE-94/CWE-1333)File:
whois/whois.py, lines 134-137The
queryparameter (user-supplied domain name) is inserted directly intore.compile()via.format(query)with nore.escape(). This enables:(a+)+$causes catastrophic backtracking.*or capture groups alters matching behaviormatch.group(1), potentially redirecting to an attacker-controlled serverFix:
re.escape(query)— one-line change.2. SSRF via WHOIS Referral Following (MEDIUM — CWE-918)
File:
whois/whois.py, lines 278-283The library parses
Whois Server:from WHOIS responses and connects to whatever hostname is specified. The only validation is checking for/in the hostname. There is no filtering of private/internal IP ranges (RFC 1918, loopback, link-local, cloud metadata endpoints like169.254.169.254).A malicious or compromised WHOIS server can redirect the client to internal network services on port 43.
Fix: Add private IP range filtering before connecting to referral servers.
3. Unbounded Memory from WHOIS Response (MEDIUM — CWE-400)
File:
whois/whois.py, lines 270-274The recv loop has no maximum size limit. A malicious WHOIS server can send unlimited data, causing unbounded memory allocation.
Fix: Add
MAX_WHOIS_RESPONSEsize check (e.g., 10 MB).4. Unbounded Recursion via Referral Chains (MEDIUM — CWE-674)
File:
whois/whois.py, lines 275-283The
whois()method recursively follows referrals with no depth limit. A chain of servers each referring to the next causesRecursionError.Fix: Add a
depthparameter with a maximum (e.g., 10).5. No Domain Input Validation (MEDIUM — CWE-20)
File:
whois/__init__.py, lines 46-76The public
whois()function accepts arbitrary strings with zero validation — no format check, length limit, or character filtering. This feeds unvalidated input into vulnerability #1.Fix: Add RFC 1035 domain name validation.
Summary
re.escape)I'm available to submit a PR with all fixes if that would be helpful. I'd also recommend enabling GitHub's private vulnerability reporting for future reports.
90-day disclosure timeline: June 6, 2026.