VDB

ALPINE-CVE-2025-0938

ALPINE-CVE-2025-0938 PUBLISHED CVSS 6.300000190734863 MEDIUM

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Risk Scores

CVSS v4.0
6.300000190734863
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Affected Products

VendorProductVersions
Alpine:v3.18python33.9.7-r4, 3.9.7-r3, 3.9.7-r2
Alpine:v3.22python33.8.7-r1, 3.5.2-r5, 3.12.7-r0
Alpine:v3.21python33.6.8-r1, 0, 3.1.3-r0
Alpine:v3.20python33.9.7-r4, 3.9.7-r3, 3.9.7-r2
Alpine:v3.23python33.6.7-r0, 3.8.5-r2, 3.11.4-r1
Alpine:v3.19python33.11.3-r0, 3.11.2-r0, 3.11.11-r0

Timeline

  • Jan 31, 2025 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›