Description
When using the "configparser" module to write configuration files containing multi-line text values with carriage return characters (\r) the resulting file could be injected with unexpected keys and values if the attacker controls the written value.
Severity (CVSS)
| Base score | 4.1 |
|---|---|
| Severity | Medium |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-74 — CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| Python Software Foundation | CPython | 0 to <3.15.0 |
References
- https://github.com/python/cpython/pull/151559 (patch)
- https://mail.python.org/archives/list/security-announce@python.org/thread/CV4NE6AFCRJL7XQOHX7J5TSDHUWVWGJS/ (vendor-advisory)
- https://github.com/python/cpython/issues/143927 (issue-tracking)
- https://github.com/python/cpython/commit/5858e42c539dac8394636a6e9b30472b8994851f (patch)
Generated from the official CVE List on 24 Jun 2026 09:35 UTC.