| Name | CVE-2025-0938 |
| Description | The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| pypy3 (PTS) | bullseye | 7.3.5+dfsg-2+deb11u2 | vulnerable |
| bullseye (security) | 7.3.5+dfsg-2+deb11u4 | vulnerable | |
| bookworm | 7.3.11+dfsg-2+deb12u3 | vulnerable | |
| sid, trixie | 7.3.19+dfsg-1 | fixed | |
| python3.11 (PTS) | bookworm | 3.11.2-6+deb12u5 | vulnerable |
| bookworm (security) | 3.11.2-6+deb12u3 | vulnerable | |
| python3.12 (PTS) | sid, trixie | 3.12.9-1 | fixed |
| python3.13 (PTS) | sid, trixie | 3.13.2-1 | fixed |
| python3.9 (PTS) | bullseye | 3.9.2-1 | vulnerable |
| bullseye (security) | 3.9.2-1+deb11u2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| pypy3 | source | (unstable) | 7.3.18+dfsg-2 | |||
| python3.11 | source | (unstable) | (unfixed) | |||
| python3.12 | source | (unstable) | 3.12.9-1 | |||
| python3.13 | source | (unstable) | 3.13.2-1 | |||
| python3.9 | source | (unstable) | (unfixed) |
[bookworm] - python3.11 <no-dsa> (Minor issue)
[bullseye] - python3.9 <postponed> (Minor issue)
[bookworm] - pypy3 <no-dsa> (Minor issue)
[bullseye] - pypy3 <postponed> (Minor issue)
https://mail.python.org/archives/list/security-announce@python.org/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
https://github.com/python/cpython/issues/105704
https://github.com/python/cpython/pull/129418
Fixed by: https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a
Fixed by: https://github.com/python/cpython/commit/90e526ae67b172ed7c6c56e7edad36263b0f9403 (v3.13.2)
Fixed by: https://github.com/python/cpython/commit/a7084f6075c9595ba60119ce8c62f1496f50c568 (v3.12.9)
https://github.com/python/cpython/pull/129528 (3.11)
https://github.com/python/cpython/pull/129530 (3.9)