CVE-2025-0938

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-0938

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0938.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-0938

Aliases

Downstream

ALPINE-CVE-2025-0938

AZL-56231

AZL-56343

BELL-CVE-2025-0938

CLEANSTART-2026-CI66802

CLEANSTART-2026-KM27583

CLEANSTART-2026-SP91806

CLSA-2025-1741635599

CLSA-2025-1741635940

CLSA-2025-1742379028

CLSA-2025-1742919946

CLSA-2025-1750780647

CLSA-2026-1767629333

CLSA-2026-1767800092

CLSA-2026-1767800687

DEBIAN-CVE-2025-0938

DLA-4087-1

DLA-4354-1

ECHO-2b3d-4ba9-189d

MGASA-2025-0280

MINI-4793-rxpp-vxmp

MINI-4f3m-r4r7-7c3h

MINI-grf7-9fgw-pmm3

MINI-x6fh-v5m5-v96x

OESA-2025-1148

OESA-2025-1149

OESA-2025-1150

OESA-2025-1151

RHSA-2025:23530

RHSA-2025:6977

RHSA-2025:7107

RHSA-2025:7109

RHSA-2026:5588

RLSA-2025:23530

RLSA-2025:6977

RLSA-2025:7107

RLSA-2025:7109

SUSE-SU-2025:02074-1

SUSE-SU-2025:0386-1

SUSE-SU-2025:0406-1

SUSE-SU-2025:0419-1

SUSE-SU-2025:0434-1

SUSE-SU-2025:0502-1

SUSE-SU-2025:0514-1

SUSE-SU-2025:0521-1

SUSE-SU-2025:0551-1

SUSE-SU-2025:0552-1

SUSE-SU-2025:0553-1

SUSE-SU-2025:0554-1

SUSE-SU-2025:0756-1

SUSE-SU-2025:0814-1

SUSE-SU-2025:20154-1

SUSE-SU-2025:20346-1

SUSE-SU-2025:20374-1

UBUNTU-CVE-2025-0938

USN-7280-1

USN-7280-2

USN-7280-3

USN-7348-1

USN-7348-2

openSUSE-SU-2025:14750-1

openSUSE-SU-2025:14751-1

openSUSE-SU-2025:14758-1

openSUSE-SU-2025:14759-1

openSUSE-SU-2025:14760-1

openSUSE-SU-2025:14761-1

openSUSE-SU-2025:15713-1

Related

Published

2025-01-31T17:51:35.898Z

Modified

2026-06-03T03:54:54.801035373Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N CVSS Calculator

Summary

URL parser allowed square brackets in domain names

Details

The Python standard library functions urllib.parse.urlsplit and urlparse accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Database specific

{
    "cwe_ids": [
        "CWE-20"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/0xxx/CVE-2025-0938.json",
    "cna_assigner": "PSF"
}

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type: GIT
Repo: https://github.com/python/cpython
Events: Introduced

b092705907c758d4f9742028652c9802f9f03dd3

Fixed

3ae91014827f41846432995472b08f89061b0c1c

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0938.json"