Python http.cookies Control Character Validation Vulnerability

A vulnerability exists in the Python standard library's http.cookies module, specifically in the Morsel class. The issue arises because the fix for a previous vulnerability (CVE-2026-0672) was incomplete. While control characters were rejected in some contexts, such as when setting the 'path' attribute, the update() method, the |= operator, and unpickling paths were not properly patched. This oversight allows control characters to bypass input validation. Furthermore, the BaseCookie.js_output() method lacked the output validation that was applied to BaseCookie.output()

Impact

Exploitation of this vulnerability allows control characters to be introduced into cookie attributes, potentially leading to unexpected behavior in cookie handling or manipulation.

Reproduction

The vulnerability can be reproduced by creating a Cookie Morsel and using the update() method or the |= operator to add a control character to one of the attributes. Alternatively, control characters can be introduced by unpickling a Morsel object that contains them. After the control character has been added, calling the js_output() method on a BaseCookie object that includes the Morsel will demonstrate the lack of proper validation, as the control character will be processed without any error.

Remediation

Users should update to the latest version of Python where this vulnerability has been addressed.