Updated: 2025-08-20 02:05:43.738639
Description:
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | LOW | 3.7 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | python3.11 | 3.11.2 | 3.7 | LOW | Released | CLSA-2025:1741126677 | 2025-03-05 21:52:55 | |
| AlmaLinux 9.2 ESU | python3 | 3.9.16 | 3.7 | LOW | Released | CLSA-2025:1742919946 | 2025-03-26 03:29:15 | |
| CentOS 8.4 ELS | python3 | 3.6.8 | 3.7 | LOW | Released | CLSA-2025:1741635599 | 2025-03-10 22:58:46 | |
| CentOS 8.4 ELS | python2 | 2.7.18 | 3.7 | LOW | Ignored | 2025-12-30 03:53:34 | ||
| CentOS 8.5 ELS | python2 | 2.7.18 | 3.7 | LOW | Ignored | 2025-12-30 03:53:33 | This issue only matters when an attacker-controlled URL with a bracketed non‑IP host is first pars... | |
| CentOS 8.5 ELS | python3 | 3.6.8 | 3.7 | LOW | Released | CLSA-2025:1741635940 | 2025-03-10 22:58:47 | This issue only matters when an attacker-controlled URL with a bracketed non‑IP host is first pars... |
| CentOS Stream 8 ELS | python2 | 2.7.18 | 3.7 | LOW | Ignored | 2025-12-30 03:53:34 | This issue only matters when an attacker-controlled URL with a bracketed non‑IP host is first pars... | |
| Ubuntu 16.04 ELS | python3.5 | 3.5.2 | 3.7 | LOW | Released | CLSA-2025:1742379028 | 2025-03-20 03:52:35 | |
| Ubuntu 18.04 ELS | python3.6 | 3.6.9-1 | 3.7 | LOW | Released | CLSA-2025:1750780647 | 2025-06-25 02:59:09 |