Updated: 2025-08-20 00:05:55.370428
Description:
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 6.4 |
| CVSS Version 3.x | HIGH | 7.2 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.7 | 7.2 | HIGH | Not Vulnerable | 2026-02-16 14:41:26 | ||
| Alpine Linux 3.22 | python | 3.8 | 7.2 | HIGH | Not Vulnerable | 2026-02-07 04:07:52 | ||
| Alpine Linux 3.22 | python | 3.6 | 7.2 | HIGH | Not Vulnerable | 2026-01-27 16:43:55 | ||
| Debian 10 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-05 09:17:35 | ||
| Debian 10 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369860 | 2025-10-13 16:30:31 | |
| Debian 11 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369775 | 2025-10-13 16:30:30 | |
| Debian 11 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-05 09:17:35 | ||
| Debian 12 | python | 3.7 | 7.2 | HIGH | Not Vulnerable | 2025-11-14 16:30:23 | Not vulnerable: the Python runtimes in scope are 3.7.17 and 3.8.20, which already include the upstre... | |
| Debian 12 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-05 09:17:34 | Not vulnerable: the Python runtimes in scope are 3.7.17 and 3.8.20, which already include the upstre... | |
| Debian 12 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369700 | 2025-10-13 16:30:28 | Not vulnerable: the Python runtimes in scope are 3.7.17 and 3.8.20, which already include the upstre... |