Python URL parsing function flaw can enable command execution

Pierluigi Paganini August 12, 2023

A severe vulnerability in the Python URL parsing function can be exploited to gain arbitrary file reads and command execution.

Researchers warn of a high-severity security vulnerability, tracked as CVE-2023-24329 (CVSS score of 7.5), has been disclosed in the Python URL parsing function that could be exploited to bypass blocklisting methods.

Successful exploitation of the vulnerability can lead to arbitrary file reads and command execution.

“An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.” reads the advisory published by CERT Coordination Center (CERT/CC). “urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.”

The researchers pointed out that urlsplit() and urlparse() APIs do not perform input validation and may not raise errors on invalid inputs.

Python URL parsing function

The issue can be exploited by providing an URL that starts with blank characters.

The vulnerability was discovered by researcher Yebo Cao in July 2022.

“I personally think the impact of this vulnerability is huge because this urlparse() library is widely used. Although blocklist is considered an inferior choice, there are many scenarios where blocklist is still needed.” wrote Cao. “This vulnerability would help an attacker to bypass the protections set by the developer for scheme and host. This vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.”

The issue impacts all python versions before 3.11.

The vulnerability has been fixed with the release of the following versions:

  • >= 3.12
  • 3.11.x >= 3.11.4
  • 3.10.x >= 3.10.12
  • 3.9.x >= 3.9.17
  • 3.8.x >= 3.8.17, and
  • 3.7.x >= 3.7.17

The flaw should also be mitigated by adding strip() function before processing the URL.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Python URL)

you might also like

leave a comment