There is a MEDIUM severity vulnerability affecting CPython.

The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Please see the linked CVE ID for the latest information on affected versions:

• https://www.cve.org/cverecord?id=CVE-2024-11168
• https://github.com/python/cpython/pull/103849