Description
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
References (8)
Core 8
Core References
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4570-1/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2021/06/msg00015.html
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/10/msg00012.html
Issue Tracking, Vendor Advisory
https://bugs.python.org/issue39603
Patch, Third Party Advisory
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b
Patch, Third Party Advisory
https://github.com/urllib3/urllib3/pull/1800
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html
Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
Scores
CVSS v3
6.5
EPSS
0.0034
EPSS Percentile
56.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-74
Status
published
Products (8)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
20.04
debian/debian_linux
9.0
oracle/communications_cloud_native_core_network_function_cloud_native_environment
22.2.0
oracle/zfs_storage_appliance_kit
8.8
pypi/urllib3
0 - 1.25.9PyPI
python/urllib3
< 1.25.9
Published
Sep 30, 2020
Tracked Since
Feb 18, 2026