Type Confusion Vulnerability in RestrictedPython Tool by Zope Foundation
CVE-2025-22153

7.9HIGH

Key Information:

Vendor
CVE Published:
23 January 2025

What is CVE-2025-22153?

A type confusion vulnerability exists in the RestrictedPython tool, where an issue in versions of the CPython interpreter, starting from 3.11 and prior to 3.13.2, allows for bypassing the restrictions imposed by RestrictedPython versions 6.0 through 8.0. This occurs when using try/except* clauses, which can be exploited to introduce untrusted program inputs into a system. The problem has been addressed in version 8.0 of RestrictedPython, which eliminated support for these clauses. As of now, no known workarounds are available for the affected versions.

Affected Version(s)

RestrictedPython >= 6.0, < 8.0

References

CVSS V3.1

Score:
7.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.