CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen()


This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

http.client allows to pass control characters like CRLF newlines which can be abused to inject HTTP headers.


  • Disclosure date: 2019-10-24 (Python issue bpo-38576 reported)

Fixed In

Python issue

CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen().

  • Python issue: bpo-38576
  • Creation date: 2019-10-24
  • Reporter: Riccardo Schirone


An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with rn (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.). This is fixed in: v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1; v3.6.11, v3.6.11rc1, v3.6.12; v3.7.8, v3.7.8rc1, v3.7.9; v3.8.3, v3.8.3rc1, v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1.


Timeline using the disclosure date 2019-10-24 as reference: