CVE-2025-0938 | URL parser allowed square brackets in domain names

The Python standard library functions `urllib.parse.urlsplit` and `urlparse` accepted domain names that included square brackets which isn't valid according to RFC 3986. Square brackets are only meant to be used as delimiters for specifying IPv6 and IPvFuture hosts in URLs. This could result in differential parsing across the Python URL parser and other specification-compliant URL parsers.

Published: 2025-01-31 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-0938 is rated Moderate Risk (49.4/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.44%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-0938

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 1.64% 1.44% -0.20%
2 2026-05-06 1.48% 1.64% +0.16%
3 2026-04-23 1.48%

Full EPSS history (32 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-0938

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.3 4.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:N)
No confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:L)
Limited integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:L)
Limited integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.
Exploit maturity (threat) (E:X)
Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked).
Confidentiality requirement (CR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X)
Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X)
Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X)
Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X)
Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X)
Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X)
Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X)
Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X)
Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X)
Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X)
Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X)
Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:X)
Not evaluated.
Automatable (supplemental) (AU:X)
Not evaluated.
Recovery (supplemental) (R:X)
Not evaluated.
Value density (supplemental) (V:X)
Not evaluated.
Vulnerability response effort (supplemental) (RE:X)
Not evaluated.
Provider urgency (supplemental) (U:X)
Not evaluated.
 [email protected]

Weakness enumeration for CVE-2025-0938

OS Trackers for CVE-2025-0938

vendor priority summary link
alpine medium CVE-2025-0938: 1 source package rows (python3); 6 state rows across 6 repos (3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 6, open 0. https://security.alpinelinux.org/vuln/CVE-2025-0938
debian not yet assigned CVE-2025-0938 not yet assigned priority: Debian including 4 source packages (pypy3, python3.11, python3.13, python3.9), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 9, open 1. https://security-tracker.debian.org/tracker/CVE-2025-0938
redhat medium https://access.redhat.com/security/cve/CVE-2025-0938
suse medium CVE-2025-0938 severity moderate: SUSE including 670 source package names (0.0.17-1.1:libpython3_11-1_0-3.11.11-150600.3.16.2, 0.0.17-1.1:libpython3_6m1_0-3.6.15-150300.10.81.1, …), 2346 product×package rows across 361 product lines (Container bci/kiwi, Container bci/python, … (361 product lines)): Fixed 2125, Known Affected 221. https://www.suse.com/security/cve/CVE-2025-0938/
ubuntu medium CVE-2025-0938 medium priority: Ubuntu including 12 source packages (pypy3, python2.7, …), 93 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 62, released 22, needs-triage 4, ignored 3, not-affected 2. https://ubuntu.com/security/CVE-2025-0938

Affected software / configurations for CVE-2025-0938

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2025-0938

URL Tags
https://github.com/python/cpython/commit/526617ed68cde460236c973e5d0a8bad4de896ba
https://github.com/python/cpython/commit/90e526ae67b172ed7c6c56e7edad36263b0f9403
https://github.com/python/cpython/commit/a7084f6075c9595ba60119ce8c62f1496f50c568
https://github.com/python/cpython/commit/b8b4b713c5f8ec0958c7ef8d29d6711889bc94ab
https://github.com/python/cpython/commit/d89a5f6a6e65511a5f6e0618c4c30a7aa5aba56a
https://github.com/python/cpython/commit/ff4e5c25666f63544071a6b075ae8b25c98b7a32
https://github.com/python/cpython/issues/105704
https://github.com/python/cpython/pull/129418
https://mail.python.org/archives/list/[email protected]/thread/K4EUG6EKV6JYFIC24BASYOZS4M5XOQIB/
https://lists.debian.org/debian-lts-announce/2025/03/msg00013.html
https://security.netapp.com/advisory/ntap-20250314-0002/
cvelogic Threat Intelligence