An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
https://github.com/python/cpython/issues/102153
https://github.com/python/cpython/pull/99421
https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html