2343237 – (CVE-2025-0938) CVE-2025-0938 python: cpython: URL parser allowed square brackets in domain names

Bug 2343237 (CVE-2025-0938) - CVE-2025-0938 python: cpython: URL parser allowed square brackets in domain names

Summary: CVE-2025-0938 python: cpython: URL parser allowed square brackets in domain n...

Keywords:
Status:	NEW
Alias:	CVE-2025-0938
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2343272 2343273 2343274 2343275 2343276 2343277 2343278 2343279
Blocks:
TreeView+	depends on / blocked

Reported:	2025-01-31 18:01 UTC by OSIDB Bzimport
Modified:	2025-04-06 19:21 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-01-31 18:01:10 UTC

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Note You need to log in before you can comment on or make changes to this bug.