CVE-2022-0391

A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like '\r' and '\n' in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11 and 3.6.14.

Published: Feb 9, 2022
Updated: Nov 4, 2025
CVE: CVE-2022-0391
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
python / python	3.10.0-alpha1	3.10.0-alpha1.x
python / python	3.10.0-alpha2	3.10.0-alpha2.x
python / python	3.10.0-alpha3	3.10.0-alpha3.x
python / python	3.10.0-alpha4	3.10.0-alpha4.x
python / python	3.10.0-alpha5	3.10.0-alpha5.x
python / python	3.10.0-alpha6	3.10.0-alpha6.x
python / python	3.9.0	3.9.5
python / python	3.8.0	3.8.11
python / python	3.7.0	3.7.11
python / python	-	3.6.14
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
oracle / http_server	12.2.1.3.0	12.2.1.3.0.x
oracle / http_server	12.2.1.4.0	12.2.1.4.0.x
oracle / zfs_storage_appliance_kit	8.8	8.8.x

Vulnerability Database

317,182

CVE-2022-0391

Deep Security Visibility Without the Complexity