CVE-2025-0938 — Improper Input Validation in Software Foundation Cpython

CWE-20 — Improper Input Validation12 documents7 sources

Severity

6.3MEDIUMNVD

EPSS

1.7%

top 17.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedJan 31

Latest updateSep 29

Description

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.10.0 — 3.10.17+5

🔴Vulnerability Details

OSV

python2.7 regression↗2025-09-29

▶

CVEList

URL parser allowed square brackets in domain names↗2025-01-31

▶

GHSA

GHSA-5qjr-cj9f-phrx: The Python standard library functions `urllib↗2025-01-31

▶

OSV

CVE-2025-0938: The Python standard library functions `urllib↗2025-01-31

▶

📋Vendor Advisories

Ubuntu

Python 2.7 regression↗2025-09-29

▶

Ubuntu

Python vulnerability↗2025-05-22

▶

Ubuntu

Python regression↗2025-03-24

▶

Ubuntu

Python vulnerabilities↗2025-03-12

▶

Ubuntu

Python vulnerability↗2025-02-20

▶