Seth Michael Larson

113 exploits Active since Mar 2020
CVE-2024-6232 WRITEUP HIGH WRITEUP
CPython < 3.8.20 - Denial of Service via TarFile Header Parsing ReDoS
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVSS 7.5
CVE-2025-0938 WRITEUP MEDIUM WRITEUP
CPython urllib.parse - Bracketed Host Validation Bypass
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
CVE-2025-11468 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via Email Header Folding
When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized.
CVE-2025-15282 WRITEUP MEDIUM WRITEUP
Python urllib.request - Data URL Header Injection
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVE-2025-15366 WRITEUP MEDIUM WRITEUP
CPython < 3.15.0a6 - Command Injection via IMAP Command Newline Injection
The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
CVE-2025-15367 WRITEUP MEDIUM WRITEUP
CPython < 3.15.0a6 - Command Injection via Newline in POP3 Command
The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters.
CVE-2025-4330 WRITEUP HIGH WRITEUP
CPython Path Traversal via TarFile Extraction Filter Bypass
Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination directory, and the modification of some file metadata. You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter  for more information. Note that for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage is also affected. Note that none of these vulnerabilities significantly affect the installation of source distributions which are tar archives as source distributions already allow arbitrary code execution during the build process. However when evaluating source distributions it's important to avoid installing source distributions with suspicious links.
CVSS 7.5
CVE-2025-4435 WRITEUP HIGH WRITEUP
CPython TarFile - Incorrect Extraction with errorlevel=0
When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0 in affected versions is that the member would still be extracted and not skipped.
CVSS 7.5
CVE-2025-50181 WRITEUP MEDIUM WRITEUP
urllib3 < 2.5.0 - Open Redirect via PoolManager Retry Configuration
urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.
CVSS 5.3
CVE-2026-0672 WRITEUP MEDIUM WRITEUP
CPython HTTP Header Injection via http.cookies.Morsel
When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.
CVE-2026-0865 WRITEUP MEDIUM WRITEUP
Python CPython - HTTP Header Injection
User-controlled header names and values containing newlines can allow injecting HTTP headers.
CVE-2026-1299 WRITEUP MEDIUM WRITEUP
CPython email module - CRLF Injection in BytesGenerator Header Serialization
The email module, specifically the "BytesGenerator" class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using "LiteralHeader" writing headers that don't respect email folding rules, the new behavior will reject the incorrectly folded headers in "BytesGenerator".
CVE-2026-1703 WRITEUP LOW WRITEUP
pip < 26.0 - Path Traversal via Maliciously Crafted Wheel Archive
When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn't able to inject or overwrite executable files in typical situations.