CVE-2025-0938

EPSS 1.6%

URL parser allowed square brackets in domain names

發布日:2025/1/31修改日:2025/12/3

也稱為:ALPINE-CVE-2025-0938

描述

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

受影響套件(8)

Alpine/python3from 0, < 3.11.12-r0
Bitnami/libpythonfrom 0, < 3.9.22, >= 3.10.0, < 3.10.17, >= 3.11.0, < 3.11.12, >= 3.12.0, < 3.12.9, >= 3.13.0, < 3.13.2
Bitnami/pythonfrom 0, < 3.9.22, >= 3.10.0, < 3.10.17, >= 3.11.0, < 3.11.12, >= 3.12.0, < 3.12.9, >= 3.13.0, < 3.13.2
Bitnami/python-minfrom 0, < 3.9.22, >= 3.10.0, < 3.10.17, >= 3.11.0, < 3.11.12, >= 3.12.0, < 3.12.9, >= 3.13.0, < 3.13.2
Debian/pypy3from 0, < 7.3.5+dfsg-2+deb11u5
Debian/python3.11from 0, < 3.11.2-6+deb12u6
Debian/python3.13from 0, < 3.13.2-1
Debian/python3.9from 0, < 3.9.2-1+deb11u3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

描述

受影響套件(8)

CVSS 分數

參考連結(14)