Updated: 2025-08-20 00:05:55.370428
Description:
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | MEDIUM | 6.4 |
| CVSS Version 3.x | HIGH | 7.2 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Alpine Linux 3.22 | python | 3.6 | 7.2 | HIGH | Not Vulnerable | 2026-01-27 16:43:55 | ||
| Debian 10 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-05 09:17:35 | ||
| Debian 10 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369860 | 2025-10-13 16:30:31 | |
| Debian 11 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369775 | 2025-10-13 16:30:30 | |
| Debian 11 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-05 09:17:35 | ||
| Debian 12 | python | 3.7 | 7.2 | HIGH | Not Vulnerable | 2025-11-14 16:30:23 | ||
| Debian 12 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-05 09:17:34 | ||
| Debian 12 | python | 2.7 | 7.2 | HIGH | Released | CLSA-2025:1760369700 | 2025-10-13 16:30:28 | |
| Debian 12 | python | 3.8 | 7.2 | HIGH | Not Vulnerable | 2025-11-14 16:30:22 | ||
| Debian 13 | python | 3.6 | 7.2 | HIGH | Already Fixed | 2025-09-29 23:27:18 |