CVE-2025-15282
Unknown Unknown - Not Provided
Header Injection via Newlines in urllib.request.DataHandler Data URLs

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Python Software Foundation

Description
User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15282
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
python cpython 3.10
python cpython 3.11
python cpython 3.12
python cpython 3.13
python cpython 3.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-93 The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs because user-controlled data URLs parsed by urllib.request.DataHandler allow an attacker to inject HTTP headers by including newline characters in the media type portion of the data URL. This means that malicious input can manipulate how headers are processed, potentially leading to unexpected behavior.

Impact Analysis

The impact of this vulnerability is that an attacker with the ability to control data URLs can inject headers, which may lead to security issues such as header injection attacks. This can affect the integrity and security of applications using urllib.request.DataHandler, potentially leading to privilege escalation or other security breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15282. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart