CVE-2026-0672
HTTP Header Injection via http.cookies.Morsel in Python
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Python Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | cpython | 3.10 |
| python | cpython | 3.11 |
| python | cpython | 3.12 |
| python | cpython | 3.13 |
| python | cpython | 3.14 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Python http.cookies.Morsel module, where user-controlled cookie values and parameters can be used to inject HTTP headers into messages. This happens because control characters were not properly rejected in cookie names, values, and parameters. The patch fixes this by rejecting all control characters in these fields.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to inject arbitrary HTTP headers via cookie values or parameters, potentially leading to security issues such as HTTP response splitting, web cache poisoning, or other attacks that manipulate HTTP headers. This can compromise the integrity and security of web communications.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch that rejects all control characters within cookie names, values, and parameters in the http.cookies.Morsel module to prevent HTTP header injection.