CPython Vulnerability in Bytes Decoding with Unicode Escape
CVE-2025-4516

5.9MEDIUM

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
15 May 2025

What is CVE-2025-4516?

A vulnerability exists in CPython when using the bytes.decode method with the 'unicode_escape' encoding and specific error handlers. If the 'unicode_escape' encoding or an error handler is not employed, the usage remains unaffected. To mitigate this vulnerability, users are encouraged to avoid using the error handler and instead implement a try-except block around the bytes.decode() call to catch any potential DecodeError exceptions.

Affected Version(s)

CPython 0 < 3.9.23

CPython 3.10.0 < 3.10.18

CPython 3.11.0 < 3.11.13

References

https://github.com/python/cpython/issues/133767
issue-tracking
https://github.com/python/cpython/pull/129648
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V4

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-4516 : CPython Vulnerability in Bytes Decoding with Unicode Escape