ROS-20260505-73-0048

A vulnerability in the urllib.request.DataHandler component of the Python programming language interpreter is related to the failure to take measures to neutralize CRLF sequences. Exploitation of the vulnerability may allow a remote attacker to affect the integrity of protected information...

cpython: Header injection via newlines in data URL mediatype in Python

Missing newline filtering has been discovered in Python. User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

OESA-2026-1458 python3 security update

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...

CVE-2025-15282 Header injection via newlines in data URL mediatype

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype...

PT-2026-3662

Name of the Vulnerable Software and Affected Versions Versions prior to 2025-15282 Description User-controlled data URLs parsed by urllib.request.DataHandler can allow injection of headers through newlines in the data URL mediatype. The issue involves the parsing of data URLs, potentially leading...

Server-side Request Forgery (SSRF)

Overview picklescan is a Security scanner detecting Python Pickle files performing suspicious actions Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the io.FileIO and urllib.request.urlopen functions chaining. An attacker can access arbitrary files on the...

Medium: python38

Issue Overview: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic...

CLSA-2021-1635430087 Fix CVE(s): CVE-2021-3737, CVE-2021-3733

SECURITY UPDATE: Denial of service - debian/patches/CVE-2021-3737-.patch: Fix http client infinite line reading DoS after a HTTP 100 continue in Lib/http/client.py, Lib/test/testhttplib.py. - CVE-2021-3737 SECURITY UPDATE: Denial of service - debian/patches/CVE-2021-3733.patch: fix a ReDoS in...

DEBIAN-CVE-2020-8492

Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service ReDoS attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking...

PT-2020-6268 · Python +9 · Python +9

Name of the Vulnerable Software and Affected Versions: Python versions 2.7 through 2.7.17 Python versions 3.5 through 3.5.9 Python versions 3.6 through 3.6.10 Python versions 3.7 through 3.7.6 Python versions 3.8 through 3.8.1 Description: The issue is related to an uncontrolled consumption of...

python: CRLF injection via the path part of the url passed to urlopen()

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n specifically in the path component of a URL that...