CVE-2021-28861 Overview
CVE-2021-28861 is an open redirection vulnerability affecting Python 3.x through version 3.10 in the lib/http/server.py module. The vulnerability exists due to insufficient protection against multiple forward slashes (/) at the beginning of a URI path, which can be exploited to redirect users to arbitrary external domains. This open redirection flaw can lead to information disclosure by tricking users into visiting malicious websites while believing they are navigating within a trusted application.
It is worth noting that this vulnerability is disputed by some parties, as the official Python documentation explicitly warns that http.server is not recommended for production use and only implements basic security checks.
Critical Impact
Attackers can exploit this open redirection vulnerability to redirect users to malicious external sites, potentially leading to credential theft, phishing attacks, or further exploitation through social engineering techniques.
Affected Products
- Python 3.x through 3.10
- Python 3.11.0 alpha1 through beta3
- Fedora 35, 36, and 37
Discovery Timeline
- 2022-08-23 - CVE-2021-28861 published to NVD
- 2025-12-17 - Last updated in NVD database
Technical Details for CVE-2021-28861
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as 'Open Redirect'). The flaw resides in Python's built-in HTTP server module (http.server), specifically in how it handles URI paths that begin with multiple forward slashes.
When a request is made with a URI path starting with multiple slashes (e.g., //evil.com), the http.server module fails to properly sanitize or normalize the path. This allows attackers to craft malicious URLs that appear to point to a legitimate application but actually redirect users to an attacker-controlled external domain.
The network-based attack vector requires user interaction, as victims must click on a crafted malicious link. Once clicked, the redirect occurs transparently, potentially exposing sensitive information or leading users to phishing pages designed to harvest credentials.
Root Cause
The root cause of this vulnerability lies in the inadequate input validation within lib/http/server.py. The module does not properly handle URI paths that contain multiple leading forward slashes. In URL semantics, a path beginning with // followed by a hostname is interpreted as a protocol-relative URL, which browsers will resolve to an external domain rather than a path on the current server.
The absence of normalization logic to detect and reject or sanitize such malformed URI paths allows the open redirection attack to succeed.
Attack Vector
An attacker can exploit this vulnerability by crafting a URL that points to a vulnerable Python HTTP server but includes a malicious redirect path. For example, a link such as http://legitimate-server.com//attacker.com/phishing could redirect users to attacker.com/phishing instead of serving content from the legitimate server.
This attack is particularly effective in phishing campaigns where attackers leverage the trust users have in the legitimate domain. The vulnerability requires user interaction (clicking the malicious link) but can be delivered through email, social media, or embedded in web pages.
The vulnerability mechanism involves the HTTP server interpreting paths with multiple leading slashes incorrectly. For detailed technical analysis, refer to the Python Issue Tracker Report and the associated GitHub Pull Request.
Detection Methods for CVE-2021-28861
Indicators of Compromise
- HTTP access logs showing requests with URI paths beginning with multiple forward slashes (e.g., //external-domain.com/path)
- Unusual redirect responses (HTTP 301/302) pointing to external domains from the Python HTTP server
- User reports of unexpected redirections when accessing legitimate application URLs
Detection Strategies
- Monitor web server access logs for URI patterns containing // at the beginning of request paths
- Implement web application firewall (WAF) rules to detect and block requests with malformed URI paths containing multiple leading slashes
- Use network intrusion detection systems (IDS) to identify HTTP requests attempting open redirection patterns
- Deploy SentinelOne's behavioral AI to detect anomalous redirection patterns and suspicious HTTP traffic
Monitoring Recommendations
- Enable detailed HTTP request logging on all Python-based web servers to capture full URI paths
- Configure alerting for HTTP responses that redirect to external domains not on an approved allowlist
- Regularly audit Python application deployments to identify usage of http.server in production environments
How to Mitigate CVE-2021-28861
Immediate Actions Required
- Upgrade Python to patched versions: 3.10.7, 3.9.14, 3.8.14, 3.7.14, or 3.11.0rc1 and later
- Remove http.server from production deployments and replace with production-grade web servers such as nginx, Apache, or Gunicorn
- Implement input validation at the application or reverse proxy layer to reject or sanitize URI paths with multiple leading slashes
- Review and update any applications or scripts using http.server for testing or development purposes
Patch Information
Python has addressed this vulnerability in multiple maintenance releases. Patches are available through the GitHub Pull Request #93879. Users should update to the following fixed versions:
- Python 3.10.7 or later
- Python 3.9.14 or later
- Python 3.8.14 or later
- Python 3.7.14 or later
- Python 3.11.0rc1 or later
Linux distributions have also released updates. Fedora users can obtain patches through the Fedora package announcements. Gentoo users should refer to GLSA 202305-02.
Workarounds
- Deploy a reverse proxy (nginx, Apache, HAProxy) in front of Python HTTP servers to normalize and validate incoming URI paths
- Implement application-level middleware to detect and reject requests with URI paths starting with multiple slashes
- Use Python's http.server only in isolated development environments with no network exposure
- Add network segmentation to prevent untrusted users from accessing Python HTTP server instances
# Example: nginx reverse proxy configuration to block malicious URI paths
# Add to server block configuration
if ($request_uri ~* "^//") {
return 400;
}
# Alternative: Rewrite multiple slashes to single slash
location / {
rewrite ^//+(.*) /$1 permanent;
proxy_pass http://python_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
