Data Integrity Vulnerability in Python's Base64 Module
CVE-2025-12781

6.3MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
21 January 2026

What is CVE-2025-12781?

A data integrity vulnerability exists in Python's base64 module, specifically within the functions b64decode(), standard_b64decode(), and urlsafe_b64decode(). This issue arises when the '+' and '/' characters are indiscriminately accepted, regardless of the set 'altchars' parameter used to define an alternative base64 alphabet. While older base64 RFCs endorse this behavior, updated documentation suggests that characters outside the designated base64 set should either be rejected or cause an error. This discrepancy poses a risk in applications utilizing alternate base64 alphabets, potentially leading to compromised data integrity. The patch issued does not enforce a strict error approach, maintaining existing code functionality while deprecating the current encoding behavior for future revisions. Developers are advised to validate user inputs against the expected base64 alphabet to mitigate risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CPython 0 < 3.13.10

CPython 3.14.0 < 3.14.1

CPython 3.15.0a1 < 3.15.0a2

References

https://github.com/python/cpython/pull/141128
patch
https://github.com/python/cpython/issues/125346
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.