CVE-2025-15282
Header Injection via Newlines in urllib.request.DataHandler Data URLs
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because user-controlled data URLs parsed by urllib.request.DataHandler allow an attacker to inject HTTP headers by including newline characters in the media type portion of the data URL. This means that malicious input can manipulate how headers are processed, potentially leading to unexpected behavior.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with the ability to control data URLs can inject headers, which may lead to security issues such as header injection attacks. This can affect the integrity and security of applications using urllib.request.DataHandler, potentially leading to privilege escalation or other security breaches.