Low severity3.7NVD Advisory· Published Nov 12, 2024· Updated Apr 15, 2026
CVE-2024-11168
CVE-2024-11168
Description
The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.
Patches
429f348e232e8b2171a2fd414ddca2953191c634ded45545cVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/python/cpython/commit/29f348e232e82938ba2165843c448c2b291504c5nvd
- github.com/python/cpython/commit/634ded45545ce8cbd6fd5d49785613dd7fa9b89envd
- github.com/python/cpython/commit/b2171a2fd41416cf68afd67460578631d755a550nvd
- github.com/python/cpython/commit/ddca2953191c67a12b1f19d6bca41016c6ae7132nvd
- github.com/python/cpython/issues/103848nvd
- github.com/python/cpython/pull/103849nvd
- lists.debian.org/debian-lts-announce/2024/12/msg00000.htmlnvd
- mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/nvd
- security.netapp.com/advisory/ntap-20250411-0004/nvd
News mentions
0No linked articles in our index yet.