Security Vulnerability Alert

Package: python v3.10.8

Vulnerability ID: BIT-python-2024-11168
Source: Open Source Vulnerabilities (OSV)
Severity:
Score: 0.0

Summary

Details

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

References

• python/cpython@29f348e
• python/cpython@634ded4
• python/cpython@b2171a2
• python/cpython@ddca295
• [CVE-2024-11168] urlparse incorrectly retrieves IPv4 and regular name hosts from inside of brackets python/cpython#103848
• gh-103848: Adds checks to ensure that bracketed hosts found by urlsplit are of IPv6 or IPvFuture format python/cpython#103849
• https://mail.python.org/archives/list/security-announce@python.org/thread/XPWB6XVZ5G5KGEI63M4AWLIEUF5BPH4T/
• https://nvd.nist.gov/vuln/detail/CVE-2024-11168
• https://security.netapp.com/advisory/ntap-20250411-0004/