CVE-2024-11168

Improper validation of IPv6 and IPvFuture addresses

Description

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Category

6.3
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.15%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5 patch
https://github.com/python/cpython/pull/103849 patch
https://github.com/python/cpython/issues/103848 issue tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/ vendor advisory
https://github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550 patch
https://github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89e patch
https://github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132 patch
https://security.netapp.com/advisory/ntap-20250411-0004/

Frequently Asked Questions

What is the severity of CVE-2024-11168?
CVE-2024-11168 has been scored as a medium severity vulnerability.
How to fix CVE-2024-11168?
To fix CVE-2024-11168, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-11168 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-11168 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-11168?
CVE-2024-11168 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.