#VU122816 CRLF injection in Python - CVE-2025-15282
Published: February 13, 2026
Vulnerability identifier: #VU122816
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:U/U:Green
CVE-ID: CVE-2025-15282
CWE-ID: CWE-93
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Python
Python
Software vendor:
Python.org
Python.org
Description
The vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data in urllib.request.DataHandler. A remote attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
Remediation
Install updates from vendor's website.
External links
- https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0
- https://github.com/python/cpython/commit/34d76b00dabde81a793bd06dd8ecb057838c4b38
- https://github.com/python/cpython/commit/3f396ca9d7bbe2a50ea6b8c9b27c0082884d9f80
- https://github.com/python/cpython/commit/4ed11d3cd288e6b90196a15c5a825a45d318fe47
- https://github.com/python/cpython/commit/a35ca3be5842505dab74dc0b90b89cde0405017a
- https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f
- https://github.com/python/cpython/issues/143925
- https://github.com/python/cpython/pull/143926
- https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/