CVE-2025-0938

Advisory lineage Upstream: 0 Downstream: 40

Downstream

ALPINE-CVE-2025-0938 DEBIAN-CVE-2025-0938 DLA-4087-1 DLA-4354-1 MGASA-2025-0280 OPENSUSE-SU-2025:14750-1

Deferred

Published: 31 Jan 2025, 17:51

Last modified:21 Apr 2026, 20:14

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.3 MEDIUM

v4.0 (cve.org)

EPSS Score

1.64% LOW

2% probability +0.39%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

31 Jan 2025, 17:51

Published

Vulnerability first disclosed

21 Apr 2026, 20:14

Last Modified

Vulnerability information updated

Description

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

CVSS Metrics

v4.0•MEDIUM•Score: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N
v4.0•MEDIUM•Score: 6.3CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Trends

Current EPSS score: 1.64%• Percentile: 82%

Techniques & Countermeasures

CWE-20•Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Affected Systems

python software foundation•cpython
< 3.9.22 | ≥ 3.10.0, < 3.10.17 | < 3.10.17 | ≥ 3.11.0, < 3.11.12 | ≥ 3.12.0, < 3.12.9 | ≥ 3.13.0, < 3.13.2 | ≥ 3.14.0a1, < 3.14.0a5