CVE Vulnerabilities

CVE-2025-15282

Improper Neutralization of CRLF Sequences ('CRLF Injection')

Published: Jan 20, 2026 | Modified: Jan 26, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
4.8 MODERATE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

Weakness

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

Affected Software

NameVendorStart VersionEnd Version
Python3.10Ubuntujammy*
Python3.11Ubuntuesm-apps/jammy*
Python3.11Ubuntujammy*
Python3.12Ubuntunoble*
Python3.13Ubuntuquesting*
Python3.14Ubuntuquesting*
Python3.4Ubuntuesm-infra-legacy/trusty*
Python3.5Ubuntuesm-infra-legacy/trusty*
Python3.5Ubuntuesm-infra/xenial*
Python3.6Ubuntuesm-infra/bionic*
Python3.7Ubuntuesm-apps/bionic*
Python3.8Ubuntuesm-apps/bionic*
Python3.8Ubuntuesm-infra/focal*
Python3.9Ubuntuesm-apps/focal*

Potential Mitigations

References