PT-2025-4103 · Python+10 · Python+10

Seth Larson

Published

2025-01-31

Updated

2026-05-18

CVE-2025-0938

CVSS v4.0

6.3

Medium

Vector

AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N

Name of the Vulnerable Software and Affected Versions Python (affected versions not specified)

Description The issue concerns the Python standard library functions urllib.parse.urlsplit and urlparse accepting domain names with square brackets, which is not valid according to RFC 3986. Square brackets are meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALSA-2025:23530

ALSA-2025:6977

ALSA-2025:7107

ALSA-2025:7109

ALSA-2026:5588

AZL-56231

AZL-56343

BDU:2025-04572

BIT-LIBPYTHON-2025-0938

BIT-PYTHON-2025-0938

BIT-PYTHON-MIN-2025-0938

CLEANSTART-2026-CI66802

CLEANSTART-2026-KM27583

CLEANSTART-2026-SP91806

CVE-2025-0938

DLA-4087-1

DLA-4354-1

ECHO-2B3D-4BA9-189D

INFSA-2025_6977

INFSA-2025_7107

INFSA-2025_7109

MGASA-2025-0280

OESA-2025-1148

OESA-2025-1149

OESA-2025-1150

OESA-2025-1151

OPENSUSE-SU-2025:14750-1

OPENSUSE-SU-2025:14751-1

OPENSUSE-SU-2025:14758-1

OPENSUSE-SU-2025:14759-1

OPENSUSE-SU-2025:14760-1

OPENSUSE-SU-2025:14761-1

OPENSUSE-SU-2025:15713-1

OPENSUSE-SU-2025_0386-1

OPENSUSE-SU-2025_0406-1

OPENSUSE-SU-2025_0419-1

OPENSUSE-SU-2025_0514-1

OPENSUSE-SU-2025_0521-1

OPENSUSE-SU-2025_0551-1

OPENSUSE-SU-2025_0554-1

OPENSUSE-SU-2025_0756-1

PSF-2025-1

RHSA-2025:6977

RHSA-2025:7107

RHSA-2025:7109

RHSA-2025_6977

RHSA-2025_7107

RHSA-2025_7109

RHSA-2026:5588

SUSE-SU-2025:02074-1

SUSE-SU-2025:0386-1

SUSE-SU-2025:0406-1

SUSE-SU-2025:0419-1

SUSE-SU-2025:0434-1

SUSE-SU-2025:0502-1

SUSE-SU-2025:0514-1

SUSE-SU-2025:0521-1

SUSE-SU-2025:0551-1

SUSE-SU-2025:0552-1

SUSE-SU-2025:0553-1

SUSE-SU-2025:0554-1

SUSE-SU-2025:0756-1

SUSE-SU-2025:0814-1

SUSE-SU-2025:20154-1

SUSE-SU-2025:20346-1

SUSE-SU-2025:20374-1

SUSE-SU-2025_0419-1

SUSE-SU-2025_0434-1

SUSE-SU-2025_0551-1

SUSE-SU-2025_0552-1

SUSE-SU-2025_0553-1

SUSE-SU-2025_0554-1

SUSE-SU-2025_0814-1

USN-7280-1

USN-7280-2

USN-7280-3

USN-7348-1

USN-7348-2

Affected Products

Almalinux

Astra Linux

Centos

Debian

Linuxmint

Python

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2025-4103 · Python+10 · Python+10

CVE-2025-0938

Weakness Enumeration

Related Identifiers

Affected Products

References · 326