CVE-2020-26137

MEDIUM

urllib3 < 1.25.9 - CRLF Injection via HTTP Request Method

Title source: llm

Description

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

References (8)

Core 8

Core References

Third Party Advisory vendor-advisory

https://usn.ubuntu.com/4570-1/

Mailing List, Third Party Advisory mailing-list

https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html

Mailing List mailing-list

https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html

Issue Tracking, Vendor Advisory

https://bugs.python.org/issue39603

Patch, Third Party Advisory

https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

View Patch ZIP pw:eip

Patch, Third Party Advisory

https://github.com/urllib3/urllib3/pull/1800

Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch, Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 6.5

EPSS 0.0220

EPSS Percentile 80.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-74

Status published

Products (8)

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 20.04

debian/debian_linux 9.0

oracle/communications_cloud_native_core_network_function_cloud_native_environment 22.2.0

oracle/zfs_storage_appliance_kit 8.8

pypi/urllib3 0 - 1.25.9PyPI

python/urllib3 < 1.25.9

Published Sep 30, 2020

Tracked Since Feb 18, 2026