Vulnerability: urlsplit does not handle NFKC normalization

Steve Dower steve.dower at
Thu Mar 7 13:52:13 EST 2019

We recently disclosed and patched a potential vulnerability in Python 
applications that use urlsplit() or urlparse() on user-provide URLs.

You may be impacted if a user can provide a Unicode URL to your 
application that is later converted to IDNA (Punycode) or ASCII. This 
conversion will decompose certain Unicode characters that can affect the 
netloc part of your URL, potentially resulting in requests being sent to 
an unexpected host.

All versions of Python are affected. Patches have been applied for the 
next releases of 2.7, 3.7 and 3.8, and are under review for 3.4, 3.5 and 

Full details, links to the patches, and workarounds for applications are 
available at:

A CVE number has been requested but is not yet available.

The issue was discovered by Jonathan Birch of Microsoft Corporation and 
Panayiotis Panayiotou, and reported to the Python Security Response Team 
<security at>.

More information about the Python-announce-list mailing list