Description
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
References (11)
Core 11
Core References
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250314-0002/
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/105704
Issue Tracking patch
https://github.com/python/cpython/pull/129418
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
Scores
CVSS v4
6.3
EPSS
0.0148
EPSS Percentile
81.1%
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (7)
Python Software Foundation/CPython
< 3.10.17
Python Software Foundation/CPython
< 3.9.22
Python Software Foundation/CPython
3.10.0 - 3.10.17
Python Software Foundation/CPython
3.11.0 - 3.11.12
Python Software Foundation/CPython
3.12.0 - 3.12.9
Python Software Foundation/CPython
3.13.0 - 3.13.2
Python Software Foundation/CPython
3.14.0a1 - 3.14.0a5
Published
Jan 31, 2025
Tracked Since
Feb 18, 2026