CVE-2025-0938 Information
Description
The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn’t valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
Reference
https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a
https://github.com/python/cpython/issues/105704
https://github.com/python/cpython/pull/129418
https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
The
Python
standard
library
functions
urllib.parse.urlsplit
and
urlparse
accepted
domain
names
that
included
square
brackets
which
isn’t
valid
according
to
RFC
3986.
Square
brackets
are
only
meant
to
be
used
as
delimiters
for
specifying
IPv6
and
IPvFuture
hosts
in
URLs.
This
could
result
in
differential
parsing
across
the
Python
URL
parser
and
other
specification-compliant
URL
parsers.