CVE-2019-9947 in Python
Summary
by MITRE
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.2. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string or PATH_INFO) followed by an HTTP header or a Redis command. This is similar to CVE-2019-9740.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/28/2025
This vulnerability exists in Python's HTTP handling libraries where improper input validation allows for CRLF (Carriage Return Line Feed) injection attacks. The flaw manifests when user-controlled URL parameters are processed without adequate sanitization, particularly affecting the query string or PATH_INFO components of HTTP requests. Attackers can manipulate these parameters to inject malicious CRLF sequences that break out of the intended HTTP request context, enabling various attack vectors including HTTP response splitting and header manipulation. The vulnerability affects Python 2.x through 2.7.16 and Python 3.x through 3.7.2, representing a significant security risk across multiple Python versions.
The technical implementation of this vulnerability stems from insufficient validation of URL components before they are processed by the urllib libraries. When a URL parameter contains CRLF characters, these sequences are not properly escaped or filtered, allowing them to be interpreted as actual HTTP protocol delimiters. This creates a condition where an attacker can inject additional HTTP headers or commands, potentially leading to unauthorized access, data leakage, or manipulation of HTTP responses. The vulnerability specifically impacts the urllib.request.urlopen function and similar HTTP handling mechanisms within Python's standard library.
The operational impact of CVE-2019-9947 is substantial as it enables attackers to perform various malicious activities through web applications that rely on Python's urllib libraries for HTTP communication. An attacker could exploit this vulnerability to inject HTTP headers that redirect responses, manipulate cookies, or even execute commands in certain contexts. The similarity to CVE-2019-9740 indicates a pattern of weak input validation in Python's HTTP handling components, suggesting that applications using these libraries may be vulnerable to broader classes of injection attacks. This vulnerability particularly affects web applications that process user input through URL parameters without proper sanitization.
Mitigation strategies for this vulnerability include upgrading to patched versions of Python where the issue has been resolved, implementing proper input validation and sanitization for all URL parameters, and employing web application firewalls that can detect and block CRLF injection attempts. Organizations should also consider implementing strict parameter validation at the application level, ensuring that all user-supplied input is properly escaped before being used in HTTP requests. The vulnerability aligns with CWE-117, which addresses improper output neutralization for logs, and relates to ATT&CK technique T1071.004 for application layer protocol tunneling, highlighting the need for comprehensive network security measures beyond just patch management.