175 words
1 minute
Understanding CVE-2023-24329 - Python urlparse Function
2023-08-14
Vulnerability Analysis
Python
/
CVE
/
urlparse

What does urlparse do?#

The urlparse function in Python is used to split a URL string into its components (scheme, netloc, path, params, query, fragment) or to combine these components into a complete URL string.

Description#

CVE-2023-24329 is a vulnerability in the urllib.parse module of Python (prior to version 3.11.4) that allows attackers to bypass domain blocklists by prepending whitespace characters to URLs.

Code Analysis#

CVE-2023–24329

In the sample code, certain domains (like example.com) are blocklisted. The function safeURLOpener() is then called with two versions of the same URL:

  • safeURLOpener("https://example.com") — no space
  • safeURLOpener(" https://example.com") — space at the beginning

Both URLs point to the same domain, but the second bypasses the filter due to the leading space.

Target Site View#

example.com

Execution#

request

In Python versions prior to 3.11.4, even if the domain is blocklisted, the leading space tricks urlparse into treating it as a separate hostname. As a result, the request is allowed and a response from https://example.com is received.

Impact#

This vulnerability allows attackers to bypass domain or protocol filters implemented via blocklists. Exploiting this can lead to:

  • Arbitrary file reads
  • Remote command execution
  • Server-Side Request Forgery (SSRF)
  • Other critical security issues
Understanding CVE-2023-24329 - Python urlparse Function
https://blog.hanzalaghayasabbasi.com/posts/cve-202324329-understand/
Author
Hanzala Ghayas Abbasi
Published at
2023-08-14
License
CC BY-NC-SA 4.0
Devel Writeup - Hack The Box
UltraTech Writeup - TryHackMe
© 2025 Hanzala Ghayas Abbasi. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari