VDB

CISA-2022-0391

CISA-2022-0391 PUBLISHED CVSS 7.5 HIGH

Reported by redhat · Published February 9, 2022

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products

VendorProductVersions
n/apythonpython 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14
n/apythonpython 3.10.0b1, python 3.9.5, python 3.8.11, python 3.7.11, python 3.6.14, *

Timeline

  • Feb 9, 2022 CVE Published
  • Dec 17, 2025 CVE Updated
  • Apr 26, 2026 Security Advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›