CVE-2022-48564 in Python
Summary
by MITRE • 08/22/2023
read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/07/2026
The vulnerability identified as CVE-2022-48564 resides within the plistlib.py module of Python versions through 3.9.1, specifically affecting the read_ints function when processing Apple Property List files in binary format. This flaw represents a critical security concern that can be exploited to launch denial of service attacks by consuming excessive computational resources. The vulnerability manifests when the python interpreter attempts to parse malformed binary property list files, which can cause the application to consume disproportionate amounts of cpu cycles and memory resources during the parsing process. The issue stems from inadequate input validation and resource management within the plist parsing logic, creating an avenue for malicious actors to craft specially crafted property list files that trigger excessive resource consumption patterns.
The technical implementation of this vulnerability involves the read_ints function failing to properly validate the structure and size parameters of integer values within binary property list files. When encountering malformed data, the function enters into resource-intensive processing loops that can escalate to consume all available cpu cycles and memory resources on the target system. This behavior aligns with CWE-400, which catalogs weaknesses related to resource exhaustion attacks, specifically targeting the consumption of computational resources through malformed input processing. The vulnerability operates by exploiting the lack of proper bounds checking and input sanitization mechanisms that should normally prevent excessive resource allocation during parsing operations.
From an operational perspective, this vulnerability presents significant risk to systems running python applications that process user-supplied or externally sourced property list files. Attackers can craft malicious binary property list files that, when processed by vulnerable python installations, will cause the target application to become unresponsive or crash entirely. The impact extends beyond simple application instability as the resource exhaustion can potentially affect system performance, leading to cascading failures in environments where multiple processes compete for limited resources. This vulnerability is particularly concerning in server environments where python applications handle file uploads or configuration data from untrusted sources, as it can be exploited to create persistent denial of service conditions that are difficult to detect and mitigate.
Mitigation strategies for CVE-2022-48564 should prioritize immediate patching of affected python installations to versions that contain the necessary security fixes. Organizations should implement strict input validation and sanitization measures for any property list files processed by their applications, including implementing size limits and structural validation checks before parsing. Network-level defenses such as rate limiting and file type validation can help prevent exploitation attempts by blocking suspicious property list files before they reach the application layer. The vulnerability also highlights the importance of following the principle of least privilege and implementing proper resource limits on processes that handle external file inputs. Security monitoring should include detection of unusual cpu and memory consumption patterns that may indicate exploitation attempts, as the vulnerability can be leveraged as part of broader attack campaigns targeting system availability. This issue relates to ATT&CK technique T1499.004 which covers resource exhaustion attacks, emphasizing the need for comprehensive defense-in-depth strategies that address both the immediate vulnerability and broader system resilience requirements.