Home

Description

When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters.

PUBLISHED Reserved 2026-01-07 | Published 2026-01-20 | Updated 2026-02-11 | Assigner PSF




MEDIUM: 6.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-93

Product status

Default status
unaffected

Any version before 3.13.12
affected

3.14.0 (python) before 3.14.3
affected

3.15.0a1 (python) before 3.15.0a6
affected

Credits

Omar M. Hasan reporter

References

github.com/python/cpython/pull/143920 patch

github.com/python/cpython/issues/143919 issue-tracking

mail.python.org/.../thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/ vendor-advisory

github.com/...ommit/95746b3a13a985787ef53b977129041971ed7f70 patch

github.com/...ommit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 patch

github.com/...ommit/62700107418eb2cca3fc88da036a243ea975f172 patch

github.com/...ommit/7852d72b653fea0199acf5fc2a84f6f8b84eba8d patch

github.com/...ommit/918387e4912d12ffc166c8f2a38df92b6ec756ca patch

github.com/...ommit/b1869ff648bbee0717221d09e6deff46617f3e85 patch

cve.org (CVE-2026-0672)

nvd.nist.gov (CVE-2026-0672)

Download JSON