SB20250211115 - Improper input validation in Python
Published: February 11, 2025
Security Bulletin ID
SB20250211115
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2025-0938)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to urllib.parse.urlsplit and urlparse accept domain names with square brackets. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions.
Remediation
Install update from vendor's website.
References
- https://github.com/python/cpython/commit/90e526ae67b172ed7c6c56e7edad36263b0f9403
- https://github.com/python/cpython/commit/a7084f6075c9595ba60119ce8c62f1496f50c568
- https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a
- https://github.com/python/cpython/issues/105704
- https://github.com/python/cpython/pull/129418
- https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/