http.cookiejar: Incorrect validation of path


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This database can be viewed online at the Open Source Vulnerability Database.

Cookies of with path=/any were sent to while using a cookiejar with http.cookiejar.DefaultCookiePolicy policy. The code did not check for the first non-matching character in prefix match to be a slash.


  • Disclosure date: 2019-01-03 (Python issue bpo-35647 reported)

Fixed In

Python issue

Cookie path check returns incorrect results.

  • Python issue: bpo-35647
  • Creation date: 2019-01-03
  • Reporter: Karthikeyan Singaravelan


Timeline using the disclosure date 2019-01-03 as reference: