CVE-2025-0938
- ULN >
- Oracle Linux CVE repository >
- CVE-2025-0938
CVE Details
| Release Date: | 2025-01-31 | |
| Impact: | Moderate | What is this? |
Description
The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.
See more information about CVE-2025-0938 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 6.8 |
| Vector String: | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N |
| Version: | 3.1 |
| Attack Vector: | Network |
| Attack Complexity: | High |
| Privileges Required: | None |
| User Interaction: | None |
| Scope: | Changed |
| Confidentiality Impact: | None |
| Integrity Impact: | High |
| Availability Impact: | None |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 9 (python3.11) | ELSA-2025-7109 | 2025-05-16 |
| Oracle Linux version 9 (python3.12) | ELSA-2025-7107 | 2025-05-16 |
| Oracle Linux version 9 (python3.9) | ELSA-2025-6977 | 2025-05-16 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
