Vulnerability DatabaseCVE-2025-0938

CVE-2025-0938:
Python Interpreter vulnerability analysis and mitigation

Overview

The Python standard library functions urllib.parse.urlsplit and urlparse contained a vulnerability (CVE-2025-0938) discovered in January 2025. The functions incorrectly accepted domain names containing square brackets, which violates RFC 3986 specifications that restrict square brackets to only be used as delimiters for IPv6 and IPvFuture hosts in URLs (Red Hat CVE, Python Security).

Technical details

The vulnerability stems from the URL parsing algorithm's incomplete handling of square brackets in hostnames. The implementation would accept URLs with square brackets embedded within domain names, such as 'http://prefix.[v1.example]/' and 'http://[v1.example].postfix/', instead of rejecting them as invalid. According to RFC 3986 and the WHATWG URL standard, square brackets are only valid when used as delimiters for IPv6 or IPvFuture addresses at the start and end of the hostname section (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 score of 6.8 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (Red Hat CVE).

Impact

This vulnerability could result in differential parsing behavior between Python's URL parser and other specification-compliant URL parsers. The inconsistency could potentially lead to security issues in applications that rely on consistent URL parsing behavior, particularly in scenarios involving security decisions based on hostname validation (Red Hat CVE).

Mitigation and workarounds

The issue has been fixed in Python versions 3.13.2-1, 3.12.9-1, and patches are being backported to earlier supported versions. For affected versions where patches are not yet available, Red Hat notes that mitigation options either do not exist or do not meet their security criteria for ease of use, deployment, and stability (Red Hat CVE, Debian Tracker).

Community reactions

The vulnerability has particularly impacted users of Django and django-environ, with some reporting broken functionality in production environments due to the presence of square brackets in PostgreSQL passwords. The issue was noted as a significant breaking change that affected systems after upgrading to Python 3.11.4 (GitHub Issue).

Additional resources

Source: This report was generated using AI

6.3

Score

Published January 31, 2025

Severity MEDIUM

CNA Score 6.3

Affected Technologies

Python Interpreter
Wolfi

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 76.1

Exploitation Probability (EPSS) 1

Sources

NVD
Alpine Security Tracker
- Alpine 3.18, 3.19 Has FixAdded at: Apr 10, 2025
- Alpine 3.20, 3.21, edge Has FixAdded at: Feb 09, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity MEDIUMHas FixAdded at: Feb 26, 2025
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: May 04, 2025
Chainguard
- Chainguard Has FixAdded at: Feb 09, 2025
Debian Security Tracker
- Debian 11, 12 Severity MEDIUMHas FixAdded at: Feb 02, 2025
- Debian 13 Has FixAdded at: Feb 02, 2025
Red Hat Errata
- Red Hat 6, 7, 8 Severity MEDIUMNo FixAdded at: Feb 02, 2025
- Red Hat 9 Severity MEDIUMHas FixAdded at: Feb 02, 2025
Ubuntu Security Tracker
- Ubuntu 16.04 Severity MEDIUMHas FixAdded at: Mar 11, 2025
- Ubuntu 18.04 Severity MEDIUMNo FixAdded at: May 13, 2025
- Ubuntu 20.04, 22.04, 24.04, 24.10 Severity MEDIUMHas FixAdded at: Feb 23, 2025
VulnCheck NVD++
- Linux Has FixAdded at: Feb 02, 2025
- Windows Has FixAdded at: Feb 02, 2025
Wolfi
- Wolfi Has FixAdded at: Feb 09, 2025