Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
https://github.com/python/cpython/pull/18284
https://lists.debian.org/debian-lts-announce/2020/07/msg00011.html
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://security.gentoo.org/glsa/202005-09
https://security.netapp.com/advisory/ntap-20200221-0001/