—

PYSEC-2020-148

Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / urllib3

Introduced in: 0 Fixed in: 1dd69c5c5982fae7c87a620d487c2ebf7a6b436b

Fix pip install --upgrade 'urllib3>=1dd69c5c5982fae7c87a620d487c2ebf7a6b436b'

References

https://bugs.python.org/issue39603 [WEB]
https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b [FIX]
https://github.com/urllib3/urllib3/pull/1800 [WEB]
https://usn.ubuntu.com/4570-1/ [WEB]
https://github.com/advisories/GHSA-wqvq-5m8c-6g24 [ADVISORY]