I'm not saying that this issue is not a vulnerability, just that the scope is limited.
By default, downloaded from the Internet are disabled. You have to opt-in for that using -u network (or -u all which enables the network resource) command line option of "./python -m test".
Impacted:
* "make testall", "make testuniversal" and "make buildbottest" commands are impacted (pass -u all to the test suite).
* Python buildbot workers are impacted: they run the "make buildbottest" command.
* Travis CI is impacted: it runs "./python -m test -uall,-cpu (...)".
* Multiple GitHub Action jobs are impacted (coverage, Windows, macOS, Ubuntu): run "-uall,-cpu".
* Azure Pipelines jobs are impacted: use -uall,-cpu.
> https://src.fedoraproject.org/rpms/python3.9/blob/master/f/python3.9.spec#_1168
Fedora packages are not impacted: no -u option is passed to the test suite.
> Anyone building with --enable-optimizations (PGO) will likely do so as well, though I'm not sure if that runs this part of the testsuite.
PGO build is not impacted, it uses "./python -m test --pgo" (download is disabled). Moreover, multibyte codec checks are not run by this command (see Lib/test/libregrtest/pgo.py, only test_codecs of codec tests is run).