CVE-2021-28861 Overview
CVE-2021-28861 is an open redirect vulnerability in Python 3.x through 3.10 affecting the lib/http/server.py module. The flaw stems from missing validation of multiple leading slashes (/) in the URI path. An attacker can craft a URL that causes http.server to redirect users to an attacker-controlled host, enabling phishing and information disclosure attacks. The issue is classified under CWE-601: URL Redirection to Untrusted Site. The vulnerability is disputed by a third party because Python documentation explicitly states that http.server is not recommended for production use and only implements basic security checks.
Critical Impact
Attackers can craft URIs with multiple leading slashes to redirect victims from a trusted Python http.server instance to malicious external domains, facilitating credential theft and phishing campaigns.
Affected Products
- Python 3.x through 3.10 (including 3.11.0 alpha 1–7 and beta 1–3)
- Fedora 35, 36, and 37
- Debian and Gentoo distributions shipping affected Python versions
Discovery Timeline
- 2022-08-23 - CVE-2021-28861 published to NVD
- 2025-12-17 - Last updated in NVD database
Technical Details for CVE-2021-28861
Vulnerability Analysis
The vulnerability resides in the request handling logic of Python's built-in http.server module, specifically in lib/http/server.py. When the server receives a request with a path beginning with two or more forward slashes (for example, //evil.com/path), the redirect-handling code treats the path as a protocol-relative URL. Browsers interpret protocol-relative URLs by appending the current scheme, causing the user agent to navigate to evil.com instead of remaining on the original host.
The weakness is categorized as CWE-601, URL Redirection to Untrusted Site. Exploitation requires user interaction, as the victim must click a crafted link. The scope is changed because the redirect crosses a trust boundary from the Python server to an arbitrary external domain.
Root Cause
The root cause is insufficient input sanitization in the path normalization routine of http.server. The code did not collapse or reject sequences of leading slashes before constructing the Location header used in 301 Moved Permanently responses. The fix, applied in GitHub PR #93879, normalizes paths so that multiple leading slashes cannot be interpreted as a network-location authority component.
Attack Vector
The attack is delivered over the network and requires no privileges. An attacker constructs a URL such as http://victim-server///attacker.com/path and lures a user to click it. The vulnerable http.server instance responds with a redirect whose Location header points to the attacker domain. The browser follows the redirect, and the user lands on the malicious site while believing the link originated from the trusted server. Refer to Python Issue #43223 for the original technical discussion.
// No verified exploit code is published. See the linked Python bug tracker and pull requests for the patch diff and reproduction details.
Detection Methods for CVE-2021-28861
Indicators of Compromise
- HTTP access logs from Python http.server containing request paths with two or more consecutive leading forward slashes (for example, GET //attacker.com/ HTTP/1.1)
- Outbound 301 or 302 responses with Location headers pointing to external domains not controlled by the server operator
- Referer headers in downstream web traffic showing redirection chains that originate from internal Python http.server endpoints
Detection Strategies
- Inspect web server and reverse-proxy logs for URI patterns matching the regular expression ^/{2,}[^/] against any Python http.server host
- Deploy web application firewall (WAF) rules that block or alert on requests whose path component begins with multiple slashes followed by a domain-like token
- Correlate redirect responses with destination hostnames using DNS and threat-intelligence feeds to flag redirects to newly registered or low-reputation domains
Monitoring Recommendations
- Forward Python http.server access logs to a centralized SIEM and build a dashboard that surfaces non-2xx responses with external Location headers
- Alert on any production system still running http.server directly, since Python documentation warns it is not intended for production deployment
- Monitor for spikes in user-clickthrough traffic from email gateways that resolve to internal Python service URLs containing encoded slashes (%2F%2F)
How to Mitigate CVE-2021-28861
Immediate Actions Required
- Upgrade Python to a patched release that includes the fix from GitHub PR #93879
- Replace any production use of http.server with a hardened WSGI or ASGI server such as gunicorn, uWSGI, or uvicorn fronted by a reverse proxy
- Apply distribution-level updates for Fedora, Debian, and Gentoo as noted in the Gentoo GLSA #202305-02 and Debian LTS Announcement
Patch Information
The fix is tracked in the CPython repository through GitHub PR #24848 and GitHub PR #93879, which normalize paths containing multiple leading slashes before generating redirect responses. The patched code is included in Python 3.11 and backported to supported maintenance branches. Vendors including Fedora, Debian, and Gentoo have shipped updated packages; refer to the corresponding Fedora Package Announcement advisories.
Workarounds
- Place a reverse proxy such as nginx or Apache in front of any exposed Python http.server instance and configure it to reject or normalize paths containing multiple leading slashes
- Subclass http.server.SimpleHTTPRequestHandler and override the redirect logic to strip or reject paths matching ^/{2,}
- Restrict http.server to loopback interfaces (127.0.0.1) so external clients cannot reach the vulnerable endpoint
# nginx snippet to reject requests with multiple leading slashes before they reach the Python backend
location / {
if ($request_uri ~ "^//") {
return 400;
}
proxy_pass http://127.0.0.1:8000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
