Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-1502

created 3 days, 22 hours ago

HTTP client proxy tunnel headers not validated for CR/LF

CR/LF bytes were not rejected by HTTP client proxy tunnel headers or host.

References

https://github.com/python/cpython/pull/146212 patch
https://github.com/python/cpython/issues/146211 issue-tracking
https://mail.python.org/archives/list/security-announce@python.org/thread/2IVPA… vendor-advisory
https://github.com/python/cpython/commit/05ed7ce7ae9e17c23a04085b2539fe6d6d3cef… patch

Affected products

http.client

<3.15.0

Matching in nixpkgs

pkgs.haskellPackages.cpython

Bindings for libpython

nixos-unstable 3.9.0
- nixpkgs-unstable 3.9.0
- nixos-unstable-small 3.9.0
nixos-25.11 3.9.0
- nixos-25.11-small 3.9.0
- nixpkgs-25.11-darwin 3.9.0

Package maintainers

@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>