Python urllib.parse: Invalid Square Bracket URL Parsing Issue
CVE-2025-0938 Published on January 31, 2025
URL parser allowed square brackets in domain names
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2025-0938
stack.watch emails you whenever new vulnerabilities are published in Canonical Ubuntu Linux or Python. Just hit a watch button to start following.
Affected Versions
Python Software Foundation CPython:- Before 3.9.22 is affected.
- Version 3.10.0 and below 3.10.17 is affected.
- Version 3.11.0 and below 3.11.12 is affected.
- Version 3.12.0 and below 3.12.9 is affected.
- Version 3.13.0 and below 3.13.2 is affected.
- Version 3.14.0a1 and below 3.14.0a5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.