5.7

CVE-2026-1502

HTTP client proxy tunnel headers not validated for CR/LF

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPython Software Foundation
Produkt CPython
Default Statusunaffected
Version 0
Version < 3.13.14
Status affected
Version 3.14.0a1
Version < 3.14.5rc1
Status affected
Version 3.15.0a1
Version < 3.15.0b1
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.426
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cna@python.org 5.7 0 0
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs.

https://github.com/python/cpython/pull/146212
https://github.com/python/cpython/issues/146211
https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPAEQWUJBCTQZEJEVTYCIKSMQPGRZ3/
https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef69
http://www.openwall.com/lists/oss-security/2026/04/11/4
https://github.com/python/cpython/commit/b1cf9016335cb637c5a425032e8274a224f4b2ed
https://github.com/python/cpython/commit/9e071c9b28c17f347f81b388a003d4eeb3c7a8dd
https://github.com/python/cpython/commit/c00c386faa579ad71196d33408644478488e43ec
https://github.com/python/cpython/commit/56b7100b04e44ea27989242b176beb8f016b2c53
https://github.com/python/cpython/commit/58703ec1bdd1eb075e8b01a0c427683ce594dd3e