CVE-2025-0938
6.3
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
Summary
The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Python Software Foundation | CPython | 0 < 3.10.17 | affected |
| Python Software Foundation | CPython | 3.11.0 < 3.11.12 | affected |
| Python Software Foundation | CPython | 3.12.0 < 3.12.9 | affected |
| Python Software Foundation | CPython | 3.13.0 < 3.13.2 | affected |
| Python Software Foundation | CPython | 3.14.0a1 < 3.14.0a5 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://security.netapp.com/advisory/ntap-20250314-0002/
- https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html
References
- https://github.com/python/cpython/issues/105704
- https://github.com/python/cpython/pull/129418
- https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
- https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a
- https://github.com/python/cpython/commit/90e526ae67b172ed7c6c56e7edad36263b0f9403
- https://github.com/python/cpython/commit/a7084f6075c9595ba60119ce8c62f1496f50c568
- https://github.com/python/cpython/commit/526617ed68cde460236c973e5d0a8bad4de896ba
- https://github.com/python/cpython/commit/b8b4b713c5f8ec0958c7ef8d29d6711889bc94ab
- https://github.com/python/cpython/commit/ff4e5c25666f63544071a6b075ae8b25c98b7a32
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.