Miss Islington (bot)

CVE-2025-11468 WRITEUP MEDIUM WRITEUP

CPython HTTP Header Injection via Email Header Folding

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

View Code

CVE-2025-13836 WRITEUP HIGH WRITEUP

Python < 3.13.11 - Uncontrolled Resource Consumption via HTTP Response Content-Length

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

CVSS 7.5

View Code

CVE-2024-3219 WRITEUP MEDIUM WRITEUP

CPython <3.8.20, 3.9.0-3.9.19, 3.10.0-3.10.14, 3.11.0-3.11.9, 3.12.0-3.12.4, 3.13.0a1-3.13.0rc0 - Socket Connection Race

The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.

View Code

CVE-2024-6232 WRITEUP HIGH WRITEUP

CPython < 3.8.20 - Denial of Service via TarFile Header Parsing ReDoS

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

CVSS 7.5

View Code

CVE-2024-7592 WRITEUP HIGH WRITEUP

CPython < 3.8.20 - Inefficient Regular Expression Complexity in http.cookies Module

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

CVSS 7.5

View Code

CVE-2024-8088 WRITEUP HIGH WRITEUP

CPython - Zip File Path Traversal

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

View Code

CVE-2025-0938 WRITEUP MEDIUM WRITEUP

CPython urllib.parse - Bracketed Host Validation Bypass

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

View Code

CVE-2025-11468 WRITEUP MEDIUM WRITEUP

CPython HTTP Header Injection via Email Header Folding

When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.

View Code

CVE-2025-13836 WRITEUP HIGH WRITEUP

Python < 3.13.11 - Uncontrolled Resource Consumption via HTTP Response Content-Length

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

CVSS 7.5

View Code

CVE-2025-8194 WRITEUP HIGH WRITEUP

CPython TarFile Extraction Infinite Loop Vulnerability

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

CVSS 7.5

View Code

CVE-2025-8291 WRITEUP MEDIUM WRITEUP

CPython <3.9.24, 3.10.0-3.10.18, 3.11.0-3.11.13, 3.12.0-3.12.11, 3.13.0-3.13.9, 3.14.0 - ZIP64 EOCD Validation Bypass

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

CVSS 4.3

View Code

CVE-2026-0865 WRITEUP MEDIUM WRITEUP

Python CPython - HTTP Header Injection

User-controlled header names and values containing newlines can allow injecting HTTP headers.

View Code

CVE-2026-4519 WRITEUP LOW WRITEUP

webbrowser.open() allows leading dashes in URLs

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

CVSS 3.3

View Code

CVE-2024-6923 WRITEUP MEDIUM WRITEUP

CPython HTTP Header Injection in email Module

There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized.

CVSS 5.5

View Code

CVE-2024-7592 WRITEUP HIGH WRITEUP

CPython < 3.8.20 - Inefficient Regular Expression Complexity in http.cookies Module

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

CVSS 7.5

View Code

CVE-2024-8088 WRITEUP HIGH WRITEUP

CPython - Zip File Path Traversal

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

View Code

CVE-2025-0938 WRITEUP MEDIUM WRITEUP

CPython urllib.parse - Bracketed Host Validation Bypass

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

View Code

CVE-2025-13837 WRITEUP MEDIUM WRITEUP

Python < 3.13.10 - Denial of Service via plistlib Malicious File Size Handling

When loading a plist file, the plistlib module reads data in size specified by the file itself, meaning a malicious file can cause OOM and DoS issues

CVSS 5.5

View Code

CVE-2025-1795 WRITEUP LOW WRITEUP

CPython Email Header Injection via Address List Folding

During an address list folding when a separating comma ends up on a folded line and that line is to be unicode-encoded then the separator itself is also unicode-encoded. Expected behavior is that the separating comma remains a plan comma. This can result in the address header being misinterpreted by some mail servers.

View Code

CVE-2025-8291 WRITEUP MEDIUM WRITEUP

CPython <3.9.24, 3.10.0-3.10.18, 3.11.0-3.11.13, 3.12.0-3.12.11, 3.13.0-3.13.9, 3.14.0 - ZIP64 EOCD Validation Bypass

The 'zipfile' module would not check the validity of the ZIP64 End of Central Directory (EOCD) Locator record offset value would not be used to locate the ZIP64 EOCD record, instead the ZIP64 EOCD record would be assumed to be the previous record in the ZIP archive. This could be abused to create ZIP archives that are handled differently by the 'zipfile' module compared to other ZIP implementations. Remediation maintains this behavior, but checks that the offset specified in the ZIP64 EOCD Locator record matches the expected value.

CVSS 4.3

View Code

CVE-2026-4519 WRITEUP LOW WRITEUP

webbrowser.open() allows leading dashes in URLs

The webbrowser.open() API would accept leading dashes in the URL which could be handled as command line options for certain web browsers. New behavior rejects leading dashes. Users are recommended to sanitize URLs prior to passing to webbrowser.open().

CVSS 3.3

View Code

CVE-2024-6232 WRITEUP HIGH WRITEUP

CPython < 3.8.20 - Denial of Service via TarFile Header Parsing ReDoS

There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.

CVSS 7.5

View Code

CVE-2024-7592 WRITEUP HIGH WRITEUP

CPython < 3.8.20 - Inefficient Regular Expression Complexity in http.cookies Module

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

CVSS 7.5

View Code

CVE-2024-9287 WRITEUP HIGH WRITEUP

CPython < 3.9.21 - Command Injection via Unquoted Path in venv Module

A vulnerability has been found in the CPython `venv` module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts (ie "source venv/bin/activate"). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie "./venv/bin/python") are not affected.

CVSS 7.8

View Code

CVE-2025-13836 WRITEUP HIGH WRITEUP

Python < 3.13.11 - Uncontrolled Resource Consumption via HTTP Response Content-Length

When reading an HTTP response from a server, if no read amount is specified, the default behavior will be to use Content-Length. This allows a malicious server to cause the client to read large amounts of data into memory, potentially causing OOM or other DoS.

CVSS 7.5

View Code