Python URL parsing function flaw can enable command execution

A severe vulnerability in the Python URL parsing function can be exploited to gain arbitrary file reads and command execution.

Researchers warn of a high-severity security vulnerability, tracked as CVE-2023-24329 (CVSS score of 7.5), has been disclosed in the Python URL parsing function that could be exploited to bypass blocklisting methods.

Successful exploitation of the vulnerability can lead to arbitrary file reads and command execution.

“An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.” reads the advisory published by CERT Coordination Center (CERT/CC). “urlparse has a parsing problem when the entire URL starts with blank characters. This problem affects both the parsing of hostname and scheme, and eventually causes any blocklisting methods to fail.”

The researchers pointed out that urlsplit() and urlparse() APIs do not perform input validation and may not raise errors on invalid inputs.

The issue can be exploited by providing an URL that starts with blank characters.

The vulnerability was discovered by researcher Yebo Cao in July 2022.

“I personally think the impact of this vulnerability is huge because this urlparse() library is widely used. Although blocklist is considered an inferior choice, there are many scenarios where blocklist is still needed.” wrote Cao. “This vulnerability would help an attacker to bypass the protections set by the developer for scheme and host. This vulnerability can be expected to help SSRF and RCE in a wide range of scenarios.”

The issue impacts all python versions before 3.11.

The vulnerability has been fixed with the release of the following versions:

>= 3.12
3.11.x >= 3.11.4
3.10.x >= 3.10.12
3.9.x >= 3.9.17
3.8.x >= 3.8.17, and
3.7.x >= 3.7.17

The flaw should also be mitigated by adding strip() function before processing the URL.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Python URL)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.