CVE-2025-0938

Vulnerability

Description

Python's standard library functions urllib.parse.urlsplit and urlparse accepted domain names containing square brackets ([ and ]), which is not valid according to RFC 3986. Square brackets should only be used as delimiters for IPv6 and IPvFuture addresses in URLs. This bug allowed non-compliant hosts like prefix.[v6a.ip] to be parsed as valid, contrary to the specification [1][2][3][4].

Attack

Surface and Exploitation

An attacker could craft a URL with square brackets in the domain portion that is interpreted differently by Python's parser versus other specification-compliant parsers. This differential parsing could be exploited in scenarios where Python applications perform URL validation or routing based on host extraction. For example, a URL like http://[evil.com].trusted.com/ might be considered as host trusted.com by Python but evil.com.trusted.com by other parsers, potentially bypassing security controls [1].

Impact

Successful exploitation could lead to security bypasses such as server-side request forgery (SSRF), incorrect access control decisions, or phishing attacks, depending on how applications use the parsed hostname. The vulnerability has a CVSS base score of 5.3 (Medium), reflecting the moderate severity [CVE description].

Mitigation

The fix, introduced in CPython commits across versions (main, 3.13, 3.11, 3.10), now raises a ValueError when square brackets appear in domain names [1][2][3][4]. Users should update to patched versions: Python 3.13.x, 3.12.x, 3.11.x, and 3.10.x once the fixes are included in official releases. As a workaround, applications can validate URLs against RFC 3986 using alternative parsers before processing with Python's library.