Bug 2431366 (CVE-2025-15282) - CVE-2025-15282 cpython: Header injection via newlines in data URL mediatype in Python
Summary: CVE-2025-15282 cpython: Header injection via newlines in data URL mediatype i...
Keywords:
Status: NEW
Alias: CVE-2025-15282
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2431759 2431763 2431768 2431786 2431790 2431795 2431798 2431808 2431812 2431816 2431823 2431827 2431831 2431834 2431839 2431841 2431843 2431847 2431849 2431851 2431852 2431853 2431854
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-20 22:01 UTC by OSIDB Bzimport
Modified: 2026-01-21 20:34 UTC (History)
15 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-20 22:01:46 UTC 
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
Note You need to log in before you can comment on or make changes to this bug.