Data Handler Vulnerability in Python's urllib Request
CVE-2025-15282

6MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
20 January 2026

What is CVE-2025-15282?

A security vulnerability in Python's urllib request module allows for header injection through user-controlled data URLs. By exploiting this flaw, an attacker can introduce newlines in the data URL mediatype, which could lead to the execution of arbitrary headers in a request. This vulnerability highlights the need for secure handling of user input and emphasizes the importance of validating data formats before use.

Affected Version(s)

CPython 0 < 3.10.20

CPython 3.11.0 < 3.11.15

CPython 3.12.0 < 3.12.13

References

https://github.com/python/cpython/pull/143926
patch
https://github.com/python/cpython/issues/143925
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.