CVE-2014-4650

CRITICAL

Python 2.7.5 and 3.3.4 - Path Traversal via URL-Encoded Path Separators

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4650. PoCs published by RedTeam Pentesting.

AI-analyzed exploit summary This is a detailed advisory explaining CVE-2014-4650, a vulnerability in Python's CGIHTTPServer module that allows file disclosure and potential code execution due to improper handling of URL-encoded path separators. The advisory includes technical details, affected versions, and proof-of-concept examples using curl commands.

Description

The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator.

Exploits (1)

exploitdb WRITEUP VERIFIED

by RedTeam Pentesting · textwebappsmultiple

https://www.exploit-db.com/exploits/33894

View Code ZIP pw:eip

This is a detailed advisory explaining CVE-2014-4650, a vulnerability in Python's CGIHTTPServer module that allows file disclosure and potential code execution due to improper handling of URL-encoded path separators. The advisory includes technical details, affected versions, and proof-of-concept examples using curl commands.

Classification

Writeup 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Python CGIHTTPServer (2.7 - 2.7.7, 3.2 - 3.2.4, 3.3 - 3.3.2, 3.4 - 3.4.1, 3.5 pre-release)

No auth needed

Prerequisites: A running Python CGIHTTPServer instance with CGI scripts in the document root

MITRE ATT&CK

T1005 - Data from Local System T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Third Party Advisory x_refsource_misc

http://openwall.com/lists/oss-security/2014/06/26/3

Exploit, Patch, Vendor Advisory x_refsource_misc

http://bugs.python.org/issue21766

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/security/cve/cve-2014-4650

Scores

CVSS v3 9.8

EPSS 0.0723

EPSS Percentile 91.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (5)

python/python 2.7.0 - 2.7.8

redhat/enterprise_linux 5.0

redhat/enterprise_linux 6.0

redhat/enterprise_linux 7.0

redhat/software_collections

Published Feb 20, 2020

Tracked Since Feb 18, 2026