Description

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Classification

CVE ID: CVE-2025-0938

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Affected Products

Vendor: Python Software Foundation

Product: CPython

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 15.62% (scored less or equal to compared to others)

EPSS Date: 2025-03-01 (when was this score calculated)

References

https://github.com/python/cpython/issues/105704
https://github.com/python/cpython/pull/129418
https://mail.python.org/archives/list/[email protected]/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a

Timeline