CVE-2025-0938

URL parser allowed square brackets in domain names

Description

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Category

6.3
CVSS
Severity: Medium
CVSS 4.0 •
EPSS 1.02% Top 25%
Vendor Advisory python.org
Affected: Python Software Foundation CPython
Published at:
Updated at:

References

Link Tags
https://github.com/python/cpython/issues/105704 issue tracking
https://github.com/python/cpython/pull/129418 patch
https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/ vendor advisory
https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a patch
https://github.com/python/cpython/commit/90e526ae67b172ed7c6c56e7edad36263b0f9403 patch
https://github.com/python/cpython/commit/a7084f6075c9595ba60119ce8c62f1496f50c568 patch
https://github.com/python/cpython/commit/526617ed68cde460236c973e5d0a8bad4de896ba patch
https://github.com/python/cpython/commit/b8b4b713c5f8ec0958c7ef8d29d6711889bc94ab patch
https://github.com/python/cpython/commit/ff4e5c25666f63544071a6b075ae8b25c98b7a32 patch
https://security.netapp.com/advisory/ntap-20250314-0002/

Frequently Asked Questions

What is the severity of CVE-2025-0938?
CVE-2025-0938 has been scored as a medium severity vulnerability.
How to fix CVE-2025-0938?
To fix CVE-2025-0938, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-0938 being actively exploited in the wild?
It is possible that CVE-2025-0938 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-0938?
CVE-2025-0938 affects Python Software Foundation CPython.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.