A flaw in Python’s urllib.parse.urlsplit and urlparse accepts domain names containing square brackets, which are not permitted by RFC 3986 except as delimiters for IPv6 or IPvFuture addresses. This improper input validation causes URLs to be parsed differently by Python than by other compliant parsers, potentially exposing applications to security‑sensitive logic errors such as incorrect hostname verification or unauthorized redirects. The CWE‑20 designation confirms the issue is an input validation flaw.

The defect resides in CPython, the reference implementation of Python produced by the Python Software Foundation. Any deployment of CPython that uses the affected urllib.parse functions—such as applications and services built against older Python releases—may be impacted. Red Hat Enterprise Linux 9 and related packages that ship Python, as indicated by the supplied CPE identifiers, are therefore also covered.

The CVSS score of 6.3 indicates moderate severity, while the EPSS score of 1 % suggests a low likelihood of exploitation at the time of assessment and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an attacker who can supply a crafted URL containing square brackets in a domain name to an application that passes it directly to urllib.parse. Because the parsing error creates a mismatch between the hostname seen by Python and that seen by other parsers, a malicious user could potentially bypass hostname checks or redirect logic, facilitating phishing or other logic‑bypass attacks. This inference is deduced from the description and the nature of the flaw, as the CVE text does not explicitly describe an exploitation path.