User-controlled data URLs parsed by urllib.request... · CVE-2025-15282 · GitHub Advisory Database · GitHub

User-controlled data URLs parsed by urllib.request...

Moderate severity Unreviewed Published Jan 21, 2026 to the GitHub Advisory Database • Updated Jan 26, 2026

Package

No package listed— Suggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype.

References

Published by the National Vulnerability Database

Jan 20, 2026

Published to the GitHub Advisory Database Jan 21, 2026

Last updated Jan 26, 2026

Severity

Moderate

/ 10

CVSS v4 base metrics

Exploitability Metrics

Attack Vector Network

Attack Complexity Low

Attack Requirements Present

Privileges Required Low

User interaction None

Vulnerable System Impact Metrics

Confidentiality None

Integrity High

Availability None

Subsequent System Impact Metrics

Confidentiality None

Integrity Low

Availability None

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X