CVE-2023-24329: Python urllib.parse Flaw Allows Attackers to Bypass Blocklisting

CVE-2023-24329

A vulnerability has been discovered in the Python urllib.parse component that allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. This vulnerability, which has been assigned the identifier CVE-2023-24329, has a CVSS score of 7.5 and could be exploited to cause a variety of security problems, including arbitrary file reads, arbitrary command execution, SSRF, and CSRF.

In August 2022, security researcher Yebo Cao discovered a dangerous flaw in the urllib.parse component of Python’s versions preceding v3.11. This seemingly simple issue has left many developers puzzled, for it allows attackers to craftily bypass blocklisting methods by supplying a URL that starts with blank characters.

CVE-2023-24329

“The urlsplit() and urlparse() APIs do not perform validation of inputs. They may not raise errors on inputs that other applications consider invalid. They may also succeed on some inputs that might not be considered URLs elsewhere. Their purpose is for practical functionality rather than purity,” the CERT Coordination Center (CERT/CC) said in a Friday advisory.

The problem lies in the urlparse function’s inability to handle URLs that begin with blank characters. This weakness affects the parsing of both the hostname and scheme, rendering blocklisting methods impotent.

Here’s where things escalate:

  1. Protocol Filtering Failures: Lead to arbitrary file reads, arbitrary command execution, SSRF, and more.
  2. Domain Name Filtering Failures: Opens the doors to re-access of blocked or dangerous websites, failure of CSRF referer type defense, and other threats.

Such an issue in the most foundational parsing library implies the potential for more advanced issues, turning this vulnerability into a potential goldmine for cyber adversaries.

Python’s quick response has led to the release of patches addressing the issue in various versions:

  • >= 3.12
  • 3.11.x >= 3.11.4
  • 3.10.x >= 3.10.12
  • 3.9.x >= 3.9.17
  • 3.8.x >= 3.8.17
  • 3.7.x >= 3.7.17

Users of older versions of Python should upgrade to a patched version as soon as possible. In the meantime, organizations can mitigate the risk of the CVE-2023-24329 vulnerability by disabling blocklisting methods that rely on urllib.parse.