CVE-2022-0391 Overview
A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like \r and \n in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks. This flaw affects Python versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11, and 3.6.14.
Critical Impact
Attackers can inject CRLF (Carriage Return Line Feed) characters into URLs processed by Python's urllib.parse module, potentially leading to HTTP header injection, response splitting, and other injection-based attacks against applications relying on this library for URL parsing.
Affected Products
- Python (versions prior to 3.10.0b1, 3.9.5, 3.8.11, 3.7.11, and 3.6.14)
- NetApp Active IQ Unified Manager
- NetApp HCI
- NetApp Management Services for Element Software
- NetApp ONTAP Select Deploy Administration Utility
- NetApp SolidFire, Enterprise SDS & HCI Storage Node
- NetApp HCI Compute Node
- Fedora 34 and 35
- Oracle HTTP Server 12.2.1.3.0 and 12.2.1.4.0
- Oracle ZFS Storage Appliance Kit 8.8
Discovery Timeline
- February 9, 2022 - CVE-2022-0391 published to NVD
- December 17, 2025 - Last updated in NVD database
Technical Details for CVE-2022-0391
Vulnerability Analysis
The vulnerability exists in Python's urllib.parse module, which is a fundamental component used for parsing URLs into their constituent parts (scheme, netloc, path, parameters, query, and fragment). The core issue is that the urlparse() function fails to properly sanitize special control characters, specifically carriage return (\r) and line feed (\n) characters, when processing URL path components.
When an application uses urllib.parse.urlparse() to process user-supplied URLs, an attacker can craft malicious URLs containing CRLF sequences. These sequences can then be used to manipulate HTTP headers or inject additional content when the parsed URL is subsequently used in HTTP requests or responses. This type of vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component - Injection).
Root Cause
The root cause of this vulnerability is insufficient input validation within the urllib.parse module. The urlparse() function was designed to split URLs into components but did not include logic to strip or reject control characters that have special meaning in HTTP protocols. The lack of sanitization for \r (CR - 0x0D) and \n (LF - 0x0A) characters allows these bytes to pass through unchanged, which can be exploited when the parsed URL components are used to construct HTTP headers or other protocol-sensitive output.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Providing a malicious URL containing CRLF characters to an application that uses Python's urllib.parse module
- The application parses the URL using urlparse() without additional sanitization
- The parsed components, still containing the CRLF sequences, are used in constructing HTTP requests or responses
- The injected CRLF characters allow the attacker to insert arbitrary HTTP headers or split the HTTP response
The vulnerability manifests when applications trust the output of urllib.parse.urlparse() to be safe for use in HTTP contexts. Attackers can inject headers like Set-Cookie for session hijacking, or perform HTTP response splitting to inject malicious content. For technical details, see the Python Issue #43882 tracking this vulnerability.
Detection Methods for CVE-2022-0391
Indicators of Compromise
- HTTP requests or responses containing unexpected CRLF sequences in URL-derived fields
- Anomalous HTTP headers appearing in server logs that were not legitimately set
- Evidence of HTTP response splitting in web application logs
- Unusual Set-Cookie headers or redirects originating from URL parameter manipulation
Detection Strategies
- Monitor web application logs for URLs containing encoded or literal CRLF characters (%0d, %0a, \r, \n)
- Implement Web Application Firewall (WAF) rules to detect and block CRLF injection attempts in URL parameters
- Audit Python applications for use of urllib.parse.urlparse() on untrusted input without subsequent sanitization
- Deploy runtime application security monitoring to detect injection patterns in HTTP contexts
Monitoring Recommendations
- Enable detailed logging for web servers and reverse proxies to capture full request URLs and headers
- Configure alerting for HTTP response splitting patterns in application security monitoring tools
- Regularly scan Python environments to identify vulnerable versions using software composition analysis (SCA) tools
- Monitor for unusual session manipulation or cookie injection activity that could indicate exploitation
How to Mitigate CVE-2022-0391
Immediate Actions Required
- Upgrade Python to patched versions: 3.10.0b1 or later, 3.9.5 or later, 3.8.11 or later, 3.7.11 or later, or 3.6.14 or later
- Audit applications using urllib.parse to identify exposure to user-controlled URL input
- Implement application-level input validation to strip or reject CRLF characters before URL parsing
- Review and update third-party dependencies that bundle or embed Python
Patch Information
Security patches are available from the Python Software Foundation and various downstream distributors. Refer to the Python Issue #43882 for details on the fix. Additional security advisories have been published by:
- Oracle CPU April 2022 Security Alert
- NetApp Security Advisory ntap-20220225-0009
- Gentoo GLSA 202305-02
Workarounds
- Sanitize all user-supplied URLs by removing or encoding CRLF characters (\r, \n) before passing to urllib.parse
- Implement strict URL validation using allowlists for expected URL patterns
- Use Web Application Firewalls configured to block requests containing CRLF injection patterns
- Consider using alternative URL parsing libraries that implement stricter input validation
# Check Python version and upgrade if vulnerable
python3 --version
# For systems using pip, upgrade Python via package manager
# Debian/Ubuntu
sudo apt update && sudo apt install python3
# RHEL/CentOS/Fedora
sudo dnf update python3
# Verify the version is patched (3.9.5+, 3.8.11+, 3.7.11+, or 3.6.14+)
python3 -c "import sys; print(sys.version)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
