Python
Moderate fix5 remedies
cpe:2.3:a:python:python:*:*:*:*:*:*:*
Moderate fix5 remedies
- >= 3.9, < 3.9.23
- >= 3.10, < 3.10.12
- >= 3.11, < 3.11.6
- >= 3.12, < 3.12.2
- >= 3.13, < 3.13.1
Python urllib Square Bracket Handling Vulnerability in Domain Names
Vulnerability
Patched
A vulnerability exists in the Python standard library's urllib module, specifically in the urlsplit and urlparse functions. These functions improperly accept domain names that include square brackets, which is not compliant with RFC 3986. Square brackets should only be used to delimit IPv6 and IPvFuture addresses in URLs. This flaw can lead to inconsistent URL parsing between Python's parser and other parsers that adhere to the specification.
Impact
Exploitation of this vulnerability could result in incorrect URL parsing, allowing invalid domain names to be processed as valid. This could cause issues in applications that rely on accurate URL handling, potentially leading to data modification or corruption.
Reproduction
The vulnerability can be reproduced by using the urlsplit or urlparse functions with a URL that contains square brackets in the domain name. For example, a URL like 'http://[example].com' or 'http://example.[com]' would trigger the vulnerability, as the square brackets are not being correctly validated or rejected according to the RFC 3986 standards.
Remediation
Users can update to Python versions 3.9.23, 3.10.13, 3.11.13, 3.12.0, or 3.13.0, where this issue has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
7.8impact
0.0exploitability
5.7remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
0.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.